Great idea! Wasting spammers time is one of the very few ways of making them effectively lose money.
Still the project needs some pseudo randomization in order to fool basic research. Some of the messages I read contained the sentence "I am a bit busy now, but I am definitely interested. When can we talk?". If one searches for that sentence in quotes Google returns four pages of references to Spamnesty. A slightly more clever spammer would sense the trap in minutes.
I'm not aware of any program capable of add some entropy to a sentence maintaining its semantics and readability (save for insertion of random errors), but one could use a translator in different languages. Say English->German->Russian->Spanish->Polish->Danish->English, then send the resulting string as a reply. The above string for example becomes: "Now I'm a bit busy, but I'm definitely interested. When can we speak?" which (almost) fools the search. Almost because the 1st page still contains a couple references to Spamnesty due to the above sentences strong similarity, but they're well buried together with other completely unrelated stuff.
BTW, pairing this with a personal assistant stripped of any access to personal information/property/devices (such as an hypothetical open source cloudless one) and instructed to ask for details on every possible part of the offer, one could make the perfect weapon against phone telemarketers as well.
I guess spammers make most money from the lowest IQ percentiles on the internet. Therefore, we only have to develop AI that is as smart (stupid) as those people, and spammers won't be able to tell the difference.
there is no end to that argument, if a spammer is good enough to be able to foresee anti-spam software then they are likely beyond the target audience. BUT the average and by large general spam crew are not technical experts, most of them have bought some software to advertise to a large audience by mass email / crawl / filter, and are just looking at monetizing some product (or get your infos / CCs).
By wasting time for the 95% of the spammers (ironically with techniques that are very similar to them) you can still weed out a big chunk of that sector and have a big impact.
Well done. It does get the spammers frustrated. I remember reading about a similar thing[1] where instead of emails it was automated telephone replies and the scammers were cussing at the bots and generally super confused.
It did also manage to flood their phone lines making their call center useless for a while.
Some magnificent genius has created the perfect bot for hooking predatory telemarketers. "Lenny" is a slightly confused elderly man with poor hearing. He wanders off topic, he isn't sure what you just said and he is absolute catnip for crooks. If you haven't heard a call to Lenny, you're in for an absolute treat. This call from a tech support scammer lasts an exhausting 31 minutes:
The thing that makes me angry with some of those recordings is when the callers still think that they are talking to a dotty old fellow who they can con (they usually cotton on to the trick in the end). When to my ears Lenny sounds like someone with dementia who needs help and should not under any circumstances be sold to without a legal guardian present, what they seem to take from the situation is "great, I might make my who day's quota on this daft old coot". At that point "but it is my job" really doesn't cut it.
I think this is a crucial aspect of Lenny's design. If the bot was just an asshole, you might gain some sympathy for the telemarketers. Their torment at the hands of Lenny feels entirely fair, because it's obvious that he is not fit to be making financial decisions. The more unscrupulous the caller, the longer they stay on the phone with Lenny; it's an elegant self-regulating mechanism.
The less supply there is of people willing to do it (at each given price I guess), the more the pay would have to be to hire people? So, I think, changing the population willingness to do it would change the profitability of it somewhat, perhaps slightly changing how much it gets done?
Very well done. And the ducks -- hilarious! Now how do you scale and vary this enough, to prevent suspicion? That's the next step. Near the end (28 min), it felt like the caller was probing with "can you hear me" to collect Lenny's canned responses. Would it be better to hang up earlier to avoid suspicion?
"Lenny" is only 21 short recordings, stitched together into a crude sequence. It's a remarkably unsophisticated trick on a technical level. It wouldn't be difficult to produce dozens or hundreds of Lennies on quite a small budget. Tweak the script a bit, get someone on Fiverr to record it and you've got a new and unrecognisable Lenny MkII.
Maybe, rather than investing more into Lenny, create some more personas (voice, gender, etc) to add to the variety between calls? Maybe also have an option to hand a call over to the next persona in lengthy calls (so that the caller has to start all over again, in order to explain the issue to the "room mate", "brother", "cousin", etc)...
"Oh, yes ... Oh, so late ... so late, already ... Listen, you have been so friendly with me, but I really have to feed the ducklings. It's well ... beyond their hour ... May I hand you over to my wife, Gertrude? She is such a nice person and knows these things better than me ..."
> It wouldn't be difficult to produce dozens or hundreds of Lennies on quite a small budget.
I'm not sure. Even though it is, as you say, remarkably unsophisticated on a technical level, it is extremely accomplished on a artistic level.
When I first learned about Lenny, I listened to most of his conversations, and it's impressive to hear how often he actually seems to be answering questions or gets distracted in just the right way at just the right time.
The writing (and acting) is just about perfect. I don't know if this is because of sheer genius, or simply lightning in a bottle, but either way I doubt it could be simply reproduced hundreds of times.
Lenny being 'just' a bunch of unchanging messages in unchanging order made it all the funnier and more amazing to me (and it was completely brilliant before I realised).
I remember first seeing it a while ago, posted here, ironically (or perhaps naturally) in a thread about Spamnasty (also excellent).
I'd love to see it as an app with a blacklist for spam numbers or telemarketers. Use a better text generation engine like a modern deep learning based generative model, and deep voice or crowd-sourced recordings.
i had a lenny bot running on my home phone line for a bit, i had an asterisk server with a whitelist ( i only get land calls from 2-3 numbers ) and recorded some hilarious calls, i even have a few from the church of scientology ( the prior owner of the number apparently was a member) and from bill collectors ( and she also owed a bunch of medical bills )
"Candid Camera" did this long ago. They'd simply prepared a tape, with generic responses in it with gaps of silence. Then the salesman would grow increasingly frustrated with it, which of course was the source of the hilarity.
This is great! Instead of trying to be smart, Lenny capitalizes on prejudices about elderlies and possible communication factors regarding non-native call center operatives. It's more social engineering than a conversational bot. – Well done.
On my list "todo" for 2018 -- ThisIsBenny.com -- website with bunch of buttons every one of them different phrase so when marketer is calling you, you can put on speakerphone and "lenny" them yourself :)
This is quite easy to make into a phone app too, seeing how apps can intercept calls. Combine it with a phone number database like Whoscall, and one can get beautiful results.
An even more beautiful idea would be if you could let your phone provider run the bot. Just press the magic button and the spam caller gets transferred to the upside down in the phone company data center, and your phone line is freed again (like hanging up, from your point of view). If he gets mad and calls back, Lenny picks up the phone. I don't know how billing works between phone companies but maybe your phone company could even make a profit from keeping spammers bouncing around in virtual Lennyworld. Which would be a nice incentive to do R&D on improving and diversifying the bots.
I think the Turing Test is usually described as an examiner is freely conversing with two subjects. The examiner knows that one subject is human and the other is AI. They are supposed to determine which is human and which is AI. If they can't achieve higher than 50% accuracy then the AI is deemed to have passed the Turing test.
It would be a much easier version of the test if the AI only has to fool the examiner in a limited set of circumstances such as a scammer trying to qualify people as potential scam targets with a minimum of effort.
Nice idea, kudos! One curiosity though: I read a thread from the ones listed on the homepage and the signature of the Spamnesty emails said Mnesty LLC. If that's constant in every message the service sends out, wouldn't it be quite easy for the spammers to filter them out? Wouldn't you rather randomise sender details, including the signature?
> Unfortunately Mailgun has disabled the domain due to rate limits. All we can do is wait […] I think it's just the HN effect that got it to send too many messages at once.
That's a cute idea. But I wonder if the system is mis-matching messages and replies.[1] How did a spam for fake Ray-Ban sunglasses turn into someone wanting app development?
From glancing over some conversations, it looks like the bot is mostly talking to other bots.
That said, I think it’s nice to be able to reflect the same attack vector upon the attackers to make the attack less efficient and hopefully less attractive.
Many of the replies seem like they involved at least some human effort, although it would be nice to be sure--I wonder if there's some way to introduce some spammer-appropriate text captcha into the exchanges?
I think that's mostly because conversations in the home page are sorted by frecency right now. That naturally favors bots, because they respond more immediately.
It is mostly - but there are some where its obvious the spammer gets frustrated: "I believe you must be a fool or an idiot to think am here to play games." - Spammer [1].
> That said, I think it’s nice to be able to reflect the same attack vector upon the attackers to make the attack less efficient and hopefully less attractive.
If it's just bots replying - which honestly doesn't actually seem to be the case - I don't think it's going to make a big dent in their efficiency. It might backfire, though, and just cause more garbage traffic.
Message not delivered
There was a problem delivering your message to sp@mnesty.com. See the technical details below, or try resending in a few minutes.
As someone else mentioned here, the only risk is that spammers will blacklist mnesty.com .
There should be some type of domain rotation (or you can test spoofing, just to see if spammers use the same anti-spoof software everyone else does), just like how spammers do so.
As an aside, kudos for using gitlab instead of github.
If and when that happens, someone can pick up a suite of cheap domain names. Thanks to the proliferation of generic TLDs, you can register a domain for less than a dollar per year through a legitimate registrar.
I once made something very similar, back then it was called an autobaiter by the scambaiting community.
It would actually figure out what kind of scam the spammer was pulling and adjust its script in kind to pretend to play along with the scammers script.
Spamnesty also has multiple scripts and you select the kind of spam to reply to. There's an MR open for doing this automatically, but it's pretty big and I've put off reviewing it for way too long.
So it would be hilarious if you connected the spam asking for manuscripts[1] to the fake manuscript generating code [2]. We would end up with bot published journals.
I have been using this site for about a month on every piece of spam that tells me to write back. But, I have not gotten any responses. How are they even making money if they don't respond to clearly interested potential customers?
Are you able to easily detect whether your account is currently blocked and add some warning to the front page? Would make it easier than just spamming sp@mnesty.com until the mails don't bounce anymore...
I love the use of the subdomain and email sp@mnesty.com to hide the name from spammers. But won't human spammers eventually figure out what mnesty.com is and stop responding?
That's true. Unfortunately, it's not trivial to add more domains, as you'd need to own them all (to add DNS records for sending and receiving). I wanted to accept donations at some point, in the form of pointed DNS records, but realized that I couldn't do that without owning the domain, as if the domain lapsed or was transferred, Spamnesty wouldn't know and it would keep sending email from that domain, to no avail.
You could request people to home sub-domains or even register full domains for you and populate MX records etc. You simply have to test the domain records before sending. You could periodically generate a TXT record, say annually, that should be updated.
Out of curiosity, have you ever tried to track any stats about how often it reaches a spammer, whether it's interacting with the same spammer multiple times, etc?
While I think the donating of DNS records is an interesting idea, I personally wouldn't want to risk giving permission to an outside party for the domains I use, and I don't think it would be worthwhile to try and correctly maintain a domain just as a donation.
You could check if the MX records still point at your service, or, better yet, send a test e-mail to that domain every so often and see if it reaches your service.
Indeed, but it's added complexity and I'm not sure how many people would bother setting the DNS records I asked for. I might try it at some point, though.
I have one domain at hand that I don't use for mail at all, so people counter >= 1. I could set any MX/SPF records you want as long as I don't have to change them every two months or so... ;-)
Spam is a daily problem for me. I can't use auto-filters, because I live in Taiwan and most emails written in Chinese are flagged as spam. That includes important messages from my bank, colleagues, and landlord. Eventually I gave up using auto-filters, and I now manually delete ~50 spam every day.
Being able to do something useful with that will make my spam-sorting a little less mind-numbing.
Have you considered registering your own domain and giving out personalized emails to everyone? E.g. from_blahbank@mydomain.tld? That way, you could rotate most often leaked prefixes regularly without disturbing other recipients.
This is the email version of when Telemarketers call me and ask to "speak with someone in the house between the ages for x-y" to which I say, "sure just a sec", then put the phone down on the desk and walk away.
At this point, I've basically stopped answering my cell if I don't recognize the number. If it's important, they'll leave me a voicemail (it never is.).
One other thing I did was ported my landline over to callcentric.com, where for $3.50/month or so, I can 'firewall' all calls coming to that number, making it safe to give out to anyone. Their call treatments allow me to, by specific number or patterns (800*), drop, send to voicemail, play the "number disconnected" tone, forward, etc. It's great - no more calls I don't want.
I've found that if I don't recognize the number, I answer the phone and don't say anything. If no voice comes over the line within 5-10 seconds, I hang up.
I have heard of these automated systems wait for a sound before it logs you as reachable for further annoyances.
If I do answer, I stay silent even muting my phone.
Usually call just hangs up.
I get the cruise every few months, from a spoofed local numbers.
As soon as I say hello, the automated recording went off.
I had a friend who liked playing around, and drafted fake PayPal confirmations and western union statements as proof he sent the scammers money.
They were confused why they didn't have his funds asking him to triple check recipient info and resend, which he would send another fake confirmation.
They would eventually catch on cussing him out after weeks
Isn't there a registry where you can opt to not be disturbed there? We have it here and I signed up, and calls eventually stopped. I also love terrorizing spam callers with "give me your name and company name, this call is illegal". They usually get flustered and hang up.
Gamifying this kind of thing would be intriguing. I'm imagining some server that would work like spamnesty, i.e. you could easily let it handle your spam. But I'm also imagining the possibility of registering as a bot creator and plugging in your own algorithms. API-wise it would be super simple, much like creating a chatbot for Slack, but the logic could be as advanced as one would like. The server would then score the algorithms on established metrics such as "average number of responses" or what one might dream up. There would be leaderboards and stuff.
It would all work nicely until the spammers start creating their own bots to keep our bots busy. Bots would keep inane conversations going forever.
What we really need is something like this for the phone scammers, particularly the "IRS" scam I've been getting regulars calls from most of this year.
Hahaha, that was hillarious! I wish there was a bit of voice recognition too, because then this bot would be unbeatable! There should also be a few more variations, but then it seems more than enough to get the seller/scammer enganged for quite some time.
Honestly, why don't we get insider / whistleblower posts here on HN ? I understand spamming is quite vilified among most techies, but someone is doing the spamming. Is it because the bulk of spamming is done using very unsophisticated ways ? We get anonymous posts on pretty much all other topics.
I see this all the time and have assumed it's related to difficulties correlating outbound messages (to the spammer) with responses. Also within a message thread the service sometimes fails to respond to the most recent email from a spammer. An example thread showing both issues: https://spa.mnesty.com/conversations/caabzkyg/
The failure to respond is because I set a limit, it stops after a few tens of messages to avoid endless loops with bots. The other messages are because it gets put into a list and just gets spammed, as far as I can tell.
I tried this when it was new, and saw two issues with it. Firstly, it uses western names as the responder, which may not be the best case everywhere — ideally the person submitting the email should be able to specify a name to use. Secondly, the mnesty name and Mnesty LLC wouldn't seem believable to many (human) spammers either, depending on the region. I didn't get responses for many emails I submitted — my guess is that the spammers thought it's a waste of time (which is also good, but not frustrating them enough).
Ha, my comment from earlier today [1] reposted as a top of front page post.
It's like when you say something funny in a group setting which only one person hears, and instead of asking you to repeat it for everyone, they repeat it loudly themselves like it was thier joke! :)
Edit: Heaven forbid that you should point out that HN is sometimes just like Reddit! Downvote away, I have no interest in MIPs†.
This could easily be one of the “smallest” things to have the greatest impact. Looking forward to reading statistics on how much this software takes in % of total spam time and saved money.
I read some of the conversations on the site; it’s quite interesting that the boys managed to have the same conversation over and over almost in the exact order.
Email isn't free. It seems like it is but actually it takes significant resources to process all the spam. Using a bot to create more traffic is pointless and wasteful.
Yours sincerely,
A guy who runs the mail transfer agents for an email security provider and has to deal with this every day.
I note the fake replies are quite limited & repetitive. It would be extremely interesting to see if deep Q learning could be used to develop more realistic replies. "rewards" would simply be getting more (and faster) responses.
This is great, but I feel like it's wrong that regular people think they have to step in to fight spam.
After all, these messages benefit actual companies. I receive many spam messages from American companies that are legit. Why can't governments do more to fight spam? It's illegal after all (at least in Italy and I'd guess Europe), so how come companies get away with it?
Had a good chuckle reading through the chat logs, but it would be interesting to see the results using NLP to formulate new nonsense questions aimed at the spammer.
The spammer side seems to also employ some level of bot automation, and its like two bots going at each other with the occasional broken english comment showing confusion and frustration....this is truly golden.
I liked the idea of increasing the amount of time a spammer expends over their email.
I didn't like the idea of having to manually forward the email, manually remove personal information from the body of the email, and sucking the recipient into watching the conversation unfold live. Because it increases the amount of time a recipient expends over a spam email.
BTW, pairing this with a personal assistant stripped of any access to personal information/property/devices (such as an hypothetical open source cloudless one) and instructed to ask for details on every possible part of the offer, one could make the perfect weapon against phone telemarketers as well.