[The harasser] was hitting me on email and twitter for more than [2100 messages], and the thing was, those all got past the filters I’ve got in place. So one obsessed crazy man with minimal technical skill and nothing but persistence outperforms all the spambots out there, at least on the scale of individuals, if not in breadth of attack.
PZ Meyers

Dr. Meyers goes on to suggest that spammers could defeat filters just by hiring a bunch of people who would manage an ongoing campaign of identical but not quite emails.

Spammers have beat him by at least a decade. In fact, much of the Nigerian 419 spam and associated scams are hand written and sent out by people paid pennies an email to send them.

Where everything falls apart, though, is getting a response. The harasser didn’t need a response from the people he was harassing. So he could go through dozens and dozens of email addresses and twitter accounts a day. Spammers are usually attempting to collect money from people, and they need to have some sort of way for their targets to provide that money.

In fact, a group of researchers looked at credit card processing as a way to stop spam.

95 percent of the credit card transactions for the spam-advertised drugs and herbal remedies they bought were handled by just three financial companies — one based in Azerbaijan, one in Denmark and one in Nevis, in the West Indies.

(Report PDF)

It was taken as truth back when I was handling abuse@ that if we could stop people from buying from spam, that we could stop the spam problem in its tracks. That failed for multiple reasons. First, it’s impossible to stop people from being manipulated and taken advantage of by scammers. Second, spammers have figured out how to make money in many more ways than getting people to give it to them. Now, a lot of spam is not advertising real products or services. It’s closer to theft or fraud.

SpamZa allows anyone to sign up any address on their website, or they did before they were unceremoniously shut down by their webhost earlier this week, and then submits that address to hundreds of opt-in lists. This is a website designed to harass innocent recipients using open mailing lists as the harassment vehicle.

Geektech tested the signup and received almost a hundred emails 10 minutes after signing up.

SpamZa was hosted on GoDaddy, but were shut down early this week. SpamZa appears to be looking for new webhosting, based on the information they have posted on their website. 

What does this mean for senders?

It means that senders are at greater risk for bad signups than ever before. If you are targeted by SpamZa, you will have addresses on your list that do not want your mail. Some of those addresses could be turned into spam traps.

1. Check your signups. If you see hundreds of signups coming from the same IP address over a very short period of time, treat them carefully. There are a number of things a sender can do to limit the impact on a list.
   1. Delete the addresses coming from a single IP
   2. Confirm the addresses coming from a single IP
2. Implement confirmation. Start using closed loop opt-in (double opt-in) on new signups going forward. This will keep future incarnations of SpamZa from corrupting a list. It will also prevent lists from acting as attractive nuisances.
3. Do not trust vendors. Senders who are are buying a list or using a co-reg provider must confirm all the addresses before mailing them. There are some suggestions that the SpamZa people are selling addresses. Senders must protect themselves and their assets.

The one thing a sender absolutely does not want to do is add any SpamZa collected addresses to a mailing list. This is not a problem that will go away, it is out there in the wild now. This is the time to start implementing protections, not after the horse has left the barn. Confirmation is one of the better ways to protect an asset against this type of interference.

Followup post: Yet More Data Verification