161 comments

[ 3.0 ms ] story [ 215 ms ] thread
From glancing over some conversations, it looks like the bot is mostly talking to other bots.

That said, I think it’s nice to be able to reflect the same attack vector upon the attackers to make the attack less efficient and hopefully less attractive.

Many of the replies seem like they involved at least some human effort, although it would be nice to be sure--I wonder if there's some way to introduce some spammer-appropriate text captcha into the exchanges?
> That said, I think it’s nice to be able to reflect the same attack vector upon the attackers to make the attack less efficient and hopefully less attractive.

If it's just bots replying - which honestly doesn't actually seem to be the case - I don't think it's going to make a big dent in their efficiency. It might backfire, though, and just cause more garbage traffic.

I think that's mostly because conversations in the home page are sorted by frecency right now. That naturally favors bots, because they respond more immediately.
I love the use of the subdomain and email sp@mnesty.com to hide the name from spammers. But won't human spammers eventually figure out what mnesty.com is and stop responding?
Sure, but the goal is to waste their time a bit, you can't fool them forever anyway.
True, but also being a bit more random where it's not trivial to filter the bot on the spammers side would make it just a little bit harder to ignore.
That's true. Unfortunately, it's not trivial to add more domains, as you'd need to own them all (to add DNS records for sending and receiving). I wanted to accept donations at some point, in the form of pointed DNS records, but realized that I couldn't do that without owning the domain, as if the domain lapsed or was transferred, Spamnesty wouldn't know and it would keep sending email from that domain, to no avail.
You could check if the MX records still point at your service, or, better yet, send a test e-mail to that domain every so often and see if it reaches your service.
Indeed, but it's added complexity and I'm not sure how many people would bother setting the DNS records I asked for. I might try it at some point, though.
This is HN, I’m sure there’s plenty of us who have spare unused domains that would do it.
I have one domain at hand that I don't use for mail at all, so people counter >= 1. I could set any MX/SPF records you want as long as I don't have to change them every two months or so... ;-)
Out of curiosity, have you ever tried to track any stats about how often it reaches a spammer, whether it's interacting with the same spammer multiple times, etc?

While I think the donating of DNS records is an interesting idea, I personally wouldn't want to risk giving permission to an outside party for the domains I use, and I don't think it would be worthwhile to try and correctly maintain a domain just as a donation.

I don't have any stats, no. I assume most spammers are using random domains, so they wouldn't be very accurate anyway.
You could request people to home sub-domains or even register full domains for you and populate MX records etc. You simply have to test the domain records before sending. You could periodically generate a TXT record, say annually, that should be updated.

I already support several projects like this.

This is the email version of when Telemarketers call me and ask to "speak with someone in the house between the ages for x-y" to which I say, "sure just a sec", then put the phone down on the desk and walk away.
You're lucky that your spam calls come from a human. All I get is bots calling to tell me I've won a free cruise.
I've found that if I don't recognize the number, I answer the phone and don't say anything. If no voice comes over the line within 5-10 seconds, I hang up.
I have heard of these automated systems wait for a sound before it logs you as reachable for further annoyances.

If I do answer, I stay silent even muting my phone. Usually call just hangs up.

I get the cruise every few months, from a spoofed local numbers. As soon as I say hello, the automated recording went off.

I had a friend who liked playing around, and drafted fake PayPal confirmations and western union statements as proof he sent the scammers money. They were confused why they didn't have his funds asking him to triple check recipient info and resend, which he would send another fake confirmation.

They would eventually catch on cussing him out after weeks

Isn't there a registry where you can opt to not be disturbed there? We have it here and I signed up, and calls eventually stopped. I also love terrorizing spam callers with "give me your name and company name, this call is illegal". They usually get flustered and hang up.
> Isn't there a registry where you can opt to not be disturbed there?

There is, and I signed up for it. When I did, I got an order of magnitude more calls. I eventually had to change my phone number.

> I also love terrorizing spam callers with "give me your name and company name, this call is illegal". They usually get flustered and hang up.

That doesn't work on bots.

At this point, I've basically stopped answering my cell if I don't recognize the number. If it's important, they'll leave me a voicemail (it never is.).

One other thing I did was ported my landline over to callcentric.com, where for $3.50/month or so, I can 'firewall' all calls coming to that number, making it safe to give out to anyone. Their call treatments allow me to, by specific number or patterns (800*), drop, send to voicemail, play the "number disconnected" tone, forward, etc. It's great - no more calls I don't want.

I use google voice call announce for anyone not in my contact list
Is that a GV setting? Is it available on iOS?
Yes absolutely. I use the iOS app but I configured the whole thing on my laptop using the website.

switch to "legacy google voice" and then go to settings: https://i.imgur.com/wbaV75e.png

I have the feeling that all of this is going to finish bot against bot.
Well done. It does get the spammers frustrated. I remember reading about a similar thing[1] where instead of emails it was automated telephone replies and the scammers were cussing at the bots and generally super confused.

It did also manage to flood their phone lines making their call center useless for a while.

[1] https://motherboard.vice.com/en_us/article/bj8wg4/we-talked-...

Some magnificent genius has created the perfect bot for hooking predatory telemarketers. "Lenny" is a slightly confused elderly man with poor hearing. He wanders off topic, he isn't sure what you just said and he is absolute catnip for crooks. If you haven't heard a call to Lenny, you're in for an absolute treat. This call from a tech support scammer lasts an exhausting 31 minutes:

https://www.youtube.com/watch?v=UJTxkPLVxrc

https://www.reddit.com/r/itslenny/

Very well done. And the ducks -- hilarious! Now how do you scale and vary this enough, to prevent suspicion? That's the next step. Near the end (28 min), it felt like the caller was probing with "can you hear me" to collect Lenny's canned responses. Would it be better to hang up earlier to avoid suspicion?
"Lenny" is only 21 short recordings, stitched together into a crude sequence. It's a remarkably unsophisticated trick on a technical level. It wouldn't be difficult to produce dozens or hundreds of Lennies on quite a small budget. Tweak the script a bit, get someone on Fiverr to record it and you've got a new and unrecognisable Lenny MkII.
Lenny being 'just' a bunch of unchanging messages in unchanging order made it all the funnier and more amazing to me (and it was completely brilliant before I realised).

I remember first seeing it a while ago, posted here, ironically (or perhaps naturally) in a thread about Spamnasty (also excellent).

This sounds like something you could reasonably crowdfund, while delivering a really useful product.
Maybe, rather than investing more into Lenny, create some more personas (voice, gender, etc) to add to the variety between calls? Maybe also have an option to hand a call over to the next persona in lengthy calls (so that the caller has to start all over again, in order to explain the issue to the "room mate", "brother", "cousin", etc)...
This is brilliant.
"Oh, yes ... Oh, so late ... so late, already ... Listen, you have been so friendly with me, but I really have to feed the ducklings. It's well ... beyond their hour ... May I hand you over to my wife, Gertrude? She is such a nice person and knows these things better than me ..."
Somehow, somewhere Lenny has gotten connected to Lenny, detecting mutual silences and muttering at each other for years.
I'd love to see it as an app with a blacklist for spam numbers or telemarketers. Use a better text generation engine like a modern deep learning based generative model, and deep voice or crowd-sourced recordings.
> It wouldn't be difficult to produce dozens or hundreds of Lennies on quite a small budget.

I'm not sure. Even though it is, as you say, remarkably unsophisticated on a technical level, it is extremely accomplished on a artistic level.

When I first learned about Lenny, I listened to most of his conversations, and it's impressive to hear how often he actually seems to be answering questions or gets distracted in just the right way at just the right time.

The writing (and acting) is just about perfect. I don't know if this is because of sheer genius, or simply lightning in a bottle, but either way I doubt it could be simply reproduced hundreds of times.

The ducks/geese had me rolling! Love it!
i had a lenny bot running on my home phone line for a bit, i had an asterisk server with a whitelist ( i only get land calls from 2-3 numbers ) and recorded some hilarious calls, i even have a few from the church of scientology ( the prior owner of the number apparently was a member) and from bill collectors ( and she also owed a bunch of medical bills )
This is great! Instead of trying to be smart, Lenny capitalizes on prejudices about elderlies and possible communication factors regarding non-native call center operatives. It's more social engineering than a conversational bot. – Well done.
On my list "todo" for 2018 -- ThisIsBenny.com -- website with bunch of buttons every one of them different phrase so when marketer is calling you, you can put on speakerphone and "lenny" them yourself :)
The thing that makes me angry with some of those recordings is when the callers still think that they are talking to a dotty old fellow who they can con (they usually cotton on to the trick in the end). When to my ears Lenny sounds like someone with dementia who needs help and should not under any circumstances be sold to without a legal guardian present, what they seem to take from the situation is "great, I might make my who day's quota on this daft old coot". At that point "but it is my job" really doesn't cut it.
I think this is a crucial aspect of Lenny's design. If the bot was just an asshole, you might gain some sympathy for the telemarketers. Their torment at the hands of Lenny feels entirely fair, because it's obvious that he is not fit to be making financial decisions. The more unscrupulous the caller, the longer they stay on the phone with Lenny; it's an elegant self-regulating mechanism.
If they didn't try to get the sale, they'd probably get fired and swapped with someone who would.
... said the guard at Auschwitz and other places, as well.
The capitalist's Nuremberg defense?
The less supply there is of people willing to do it (at each given price I guess), the more the pay would have to be to hire people? So, I think, changing the population willingness to do it would change the profitability of it somewhat, perhaps slightly changing how much it gets done?

I'm not sure.

As I said, IMO "but it is my job" is not a morally defensible excuse.
This is quite easy to make into a phone app too, seeing how apps can intercept calls. Combine it with a phone number database like Whoscall, and one can get beautiful results.
An even more beautiful idea would be if you could let your phone provider run the bot. Just press the magic button and the spam caller gets transferred to the upside down in the phone company data center, and your phone line is freed again (like hanging up, from your point of view). If he gets mad and calls back, Lenny picks up the phone. I don't know how billing works between phone companies but maybe your phone company could even make a profit from keeping spammers bouncing around in virtual Lennyworld. Which would be a nice incentive to do R&D on improving and diversifying the bots.
This is incredible. I want an automated Lenny feature for all telemarketers that call me.. I get around 5 a day, this would be amazing.
Wow.

Does it count as passing the Turing test, or the scammers don't count as experts?

Come to think of it, the scammers themselves would fail the Turing test.

I think the Turing Test is usually described as an examiner is freely conversing with two subjects. The examiner knows that one subject is human and the other is AI. They are supposed to determine which is human and which is AI. If they can't achieve higher than 50% accuracy then the AI is deemed to have passed the Turing test.

It would be a much easier version of the test if the AI only has to fool the examiner in a limited set of circumstances such as a scammer trying to qualify people as potential scam targets with a minimum of effort.

"Candid Camera" did this long ago. They'd simply prepared a tape, with generic responses in it with gaps of silence. Then the salesman would grow increasingly frustrated with it, which of course was the source of the hilarity.
(comment deleted)
I read some of the conversations on the site; it’s quite interesting that the boys managed to have the same conversation over and over almost in the exact order.
I have been using this site for about a month on every piece of spam that tells me to write back. But, I have not gotten any responses. How are they even making money if they don't respond to clearly interested potential customers?
Add support for SMS and it’ll be perfect.
It looks like in many cases [1] it's confusing the threads? Subjects and discussions start changing after a few messages in many threads I looked at.

[1] https://spa.mnesty.com/conversations/vkeezpyz/

I see this all the time and have assumed it's related to difficulties correlating outbound messages (to the spammer) with responses. Also within a message thread the service sometimes fails to respond to the most recent email from a spammer. An example thread showing both issues: https://spa.mnesty.com/conversations/caabzkyg/
The failure to respond is because I set a limit, it stops after a few tens of messages to avoid endless loops with bots. The other messages are because it gets put into a list and just gets spammed, as far as I can tell.
Had a good chuckle reading through the chat logs, but it would be interesting to see the results using NLP to formulate new nonsense questions aimed at the spammer.

The spammer side seems to also employ some level of bot automation, and its like two bots going at each other with the occasional broken english comment showing confusion and frustration....this is truly golden.

MRs appreciated, but please make them in multiple short, self-contained pieces
Hmm. Tried it and the email bounced back with:

“554 Recipients' domain disabled”

Unfortunately, Mailgun is throttling the domain due to large rates of mail. All we can do is wait the ban out, I'm afraid.
Looks like you need a new domain provider; this is a show stopper.
I would agree, but I make liberal use of the free limits so I can't complain much. I don't really want to spend too much money running Spamnesty.
Are you able to easily detect whether your account is currently blocked and add some warning to the front page? Would make it easier than just spamming sp@mnesty.com until the mails don't bounce anymore...
I don't think Mailgun expose that in any API, I'm afraid. Good idea, though, I'll see if there's something available.
Same... I think they need a service status page
That's a cute idea. But I wonder if the system is mis-matching messages and replies.[1] How did a spam for fake Ray-Ban sunglasses turn into someone wanting app development?

[1] https://spa.mnesty.com/conversations/cturvzsr/

I'd bet that it is an IT company in India that had a compromised email server that sent spam. The mails look kinda legit, except for the first one.
I was curious about that too and checked, but couldn't find anything. It goes by the X-Reply-To (IIRC) header and they matched.
I saw www.rescam.org on here a while ago, definitely worth a visit!
The first thing I thought of was rescam, not sure how this project differs from rescam
rescam is currently offline
As someone else mentioned here, the only risk is that spammers will blacklist mnesty.com .

There should be some type of domain rotation (or you can test spoofing, just to see if spammers use the same anti-spoof software everyone else does), just like how spammers do so.

As an aside, kudos for using gitlab instead of github.

I love Gitlab, I put most of my projects there these days and mirror them on Github.
If and when that happens, someone can pick up a suite of cheap domain names. Thanks to the proliferation of generic TLDs, you can register a domain for less than a dollar per year through a legitimate registrar.
What we really need is something like this for the phone scammers, particularly the "IRS" scam I've been getting regulars calls from most of this year.
Someone made a call bot called "Lenny" to fool telemarketers, which uses recorded messages. They put up their call logs on YouTube:

https://www.youtube.com/playlist?list=PLduL71_GKzHHk4hLga0nO...

Hahaha, that was hillarious! I wish there was a bit of voice recognition too, because then this bot would be unbeatable! There should also be a few more variations, but then it seems more than enough to get the seller/scammer enganged for quite some time.
Forwarding from gmail to sp@mnesty.com results in

    554 Recipients' domain disabled
I once made something very similar, back then it was called an autobaiter by the scambaiting community. It would actually figure out what kind of scam the spammer was pulling and adjust its script in kind to pretend to play along with the scammers script.

I should dig that up again.

That sounds interesting, please do !
Spamnesty also has multiple scripts and you select the kind of spam to reply to. There's an MR open for doing this automatically, but it's pretty big and I've put off reviewing it for way too long.
OP here. Just to clarify, because I see a lot of congratulations. I just shared the project, I'm not the author.

Based on the GitLab project, the author seems to be @stavros:

- https://gitlab.com/stavros/Spamnesty

- https://twitter.com/stavros

- https://www.stavros.io/

Yep, that's me!
Nice idea, kudos! One curiosity though: I read a thread from the ones listed on the homepage and the signature of the Spamnesty emails said Mnesty LLC. If that's constant in every message the service sends out, wouldn't it be quite easy for the spammers to filter them out? Wouldn't you rather randomise sender details, including the signature?
Thanks! There's only one sending domain, so it would be incongruous to randomize the signature, unfortunately...
(comment deleted)
This is really cool. I tried building a similar project last year using an LSTM, but never ended up deploying it.

I wonder what James Veitch would have to say.

Email isn't free. It seems like it is but actually it takes significant resources to process all the spam. Using a bot to create more traffic is pointless and wasteful.

Yours sincerely, A guy who runs the mail transfer agents for an email security provider and has to deal with this every day.

Cool. Stop the spam and I’ll quit spamming you back.
We do. That's exactly what we do. But honestly the volume of spam is massive already.