Slashdot Mirror
Distributed Spam Detection
A reader writes "There's an interesting project at SourceForge, called, "Vipul's Razor", that uses a gnutella like
system to let users exchange spam "signatures" to filter spam. I work at an ISP in Ottawa, we have been using it for last two weeks to stop bulk of spam coming to our POP3 accounts. More impressively, it hasn't tagged any valid mail as spam yet.
Here's
the scoop from its webpage:
"Vipul's Razor is a distributed, collaborative, spam detection and
filtering network. Razor establishes a distributed and constantly updating
catalogue of spam in propagation. This catalogue is used by clients to
filter out known spam. On receiving a spam, a Razor Reporting Agent (run
by an end-user or a troll box) calculates and submits a 20-character
unique identification of the spam (a SHA Digest) to its closest Razor
Catalogue Server. The Catalogue Server echos this signature to other
trusted servers after storing it in its database. Prior to manual
processing or transport-level reception, Razor Filtering Agents (end-users
and MTAs) check their incoming mail against a Catalogue Server and filter
out or deny transport in case of a signature match."" Cool idea. I'm up around 80% spam a day on my main mail account. Might be worth a try.
I'm personally using SpamBouncer, a procmail-based spam filter. Works fine for me.
This is a great use of p2p -- something that doesn't involve piracy. I wish I had heard of it before.
Are there any other innovative non-piracy p2p apps out there that we should know about?
...what stops this from being abused? Say I set up a box that automatically reports all mails on the most popular mailing lists as spam, effictively making the ISPs around the world start to filter out the mailing lists...
It's a great initiative, I really hope no troll out there takes my word on this and actually do this.
I read some of the documentation, but I can't find details on a couple of questions. Do the servers authenticate with each other? It was implied, but how deep is it? Are the SHA signatures signed to the originating server (or client/trollbox) too? I think this kind of model is great, but if you don't have some nifty authentication/accountability, it can be wide open for abuse. I'm sure anyone reading slashdot can imagine a vengeful spammer flooding the network with bogus or malicious hashes.
funny munging
The people who came up with this idea deserve to be considered heros! This is one of the coolest uses of technology I have seen. (Not to be too gushing: SPAM is a rich mans problem - I hope someone comes up with some cool technological solutions to some of humanities more basic problems.) I run a server which hosts mail for a number of domains. I haven't yet, cause I just heard of it, but this will be used! There might be some interesting extensions based on possible problems: certain kinds of spam interest certain people. Perhaps a categorization system would be useful so that spam can be filtered based on these categories (for example, some people might like receiving 100 MLM spam messages a day :-P ). Also, there is an (extremely) slim chance that a legit mail might be blocked based on match hashes. Although this is extremely unlikely, could it be fixed somehow? Finally, some spam comes with very slight differences but is essentially the same spam instance. Chain letters are in a grey area. It would be good to have some heuristic methods of filtering based on content too. I don't know the characteristics of the hashing algorthm used, but perhaps by doing three hashes: start of message, middle of message, and end of message, it may be possible to identify spam even if a small part has been change.
Anyway, just some random thoughts.
Kudos again to those who have built this!
Helping with organizational effectiveness is our job.
Nothing truly insightful here, just speculation from a convenience freak.
-
And the Angel said unto me, "These are the cries of the carrots! The cries of the carrots!"
I'll post my usual public service announcements here:
SpamCop is a great service for reporting spam; just paste the spam message into the web form, and it'll automatically figure out where the smap came from and send complaints off to the appropriate people.
The Spam Bouncer is a procmail-based personal spam screening tool. It's got some interesting features, but I haven't used it in a long while.
The way I avoid spam is to have my mail client screen out any email which contains any of these phrases:
to be removed
to be permanently removed
to get removed
to get off the list
to get off this list
to be taken off
to remove yourself
removal instructions
remove in subject line
"remove" in subject line
remove in the subject
"remove" in the subject
'remove' in the subject
S.1618
S. 1618
This list by itself catches about 80% of the spam I get.
Razor catalogs spam by hashing the entire text of the message. Later potential spam is "detected" by hashing entire texts of messages to see if the hash matches any of the existing hashes in the spam catalog.
To get around this all a spammer has to do is change/add at least one charachter to each spam. This would make all the hashes unique and no spams would be detected.
I love costing spammers real money just got to
http://goto.com
and do a search for "bulk email" each link you click will cost the scumbags that sell spam software or spamming services several dollars each
Also I love this new technology I wish all isp's would use it
and for more spam fighting ideas please check out
http://www.lenny.com/spam
http://Lenny.com
4 great justice!
As far as I can tell from a quick glance at this, it looks like the entire message body is being used to compute the signature. This isn't going to work very well -- over half of the spam I receive is "personalized", and that fraction is growing every day.
This could work very well, but we need some way of computing signatures which will be invariant across different copies of personalized spam for this to be effective.
Tarsnap: Online backups for the truly paranoid
It does seem like a remarkably sensible system, just getting email clients to talk to each other about the emails they get.
You can tell if the same email has been sent to hundreds of people (and if you use hashes, you can do that without revealing the email)
You can click a "this is spam" button when you read an email, and anyone who trusts you (i.e. has your public key in their "trusted filtering friends" list) can look for similar messages and filter them.
But, there do seem to be a load of problems:
- Personalised email, as someone already mentioned
- Privacy problems with letting others into the secrets of your mailbox
- If you have the original of a message, you can calculate the hash, then see who else got the message (i.e. works for personal mail as well as spam)
- Relatively easy for malicious users to wrongly label someone as a spammer
Well worth investigating, though...
This is probably a 'fuzzy' hash function that should ignore minute variations. However, it goes without saying that if this hash-based spam filter becomes widespread, then the spammers will simply figure out how to hash-bust their way past it.
To have any hope of working over the long term, this kind of an approach must include the ability to distribute not just the hashes themselves, but the hash function as well, so that the hash function itself can be adjusted, when needed.
.derf
To eliminate the situation where one person posts a lot of "incorrect" signatures, a ranking system could be applied.
./ moderation?
The thought goes like this.
A person submits a signature of "identified" spam mail to a "supernode" for ex. and the submission gets a ranking of 1. Each additional submission (by other users) increases the score by a number.
This way, there are several classifications which could be used to filter incoming mail. For the mail providers, they could opt for only removing mail matching signatures with a very high score (thus very likely these will be actual spam) or they could filter anything reported.
The purpose of allowing the use of classifications is that it will take longer time to get higher scores, since more people have to report the specific spam mail. Some people whish to eliminate things the least bit suspected, but mileage may vary.
Do you see a resemblance with the
In a society that believes in nothing, fear becomes the only agenda ~ Bill Durodié
Injecting random hashes into the network won't result in valid emails being tagged, but can flood/DOS the catalogue machines.
It would be possible to create hashes for a number of "probable" emails, but diversity in messages is so big, the chances are quite slim to actually stop a legitimate mail.
Okay... I'll do the stupid things first, then you shy people follow.
[Zappa]
I'm using Mailwasher it works well for me. Allows you to preview your message headers, delete,blacklist and 'bounce' anything you dont want to recieve. Works well on spam as well as email from your ex-girlfriend.
Don't Tread on Me
I noticed that a lot of spam coming through my Yahoo account had been tagged with the header "X-YahooFilteredBulk". I added this to my Exim system filter and I've gone from 20+ spams a day in my inbox to 2 in a week. Thank you Yahoo!
Unfortunately, a lot anti-spam measures (including Exim 3's system filters) only take place after a message has been accepted for delivery. For me, this results in a lot of bounce messages frozen in the queue as they cannot be returned (Hotmail mailbox full, etc). I've switched on features like verifying the sender and the headers, but this doesn't catch them all, and in some cases might even stop some legitimate spam (one of my mailing lists uses incorrect syntax for the "RCPT TO:").
More effective anti-spam systems need to filter before the message has been accepted. If you wait until then, it is already too late and it is on your system. No, refusing accept delivery is much effective IMHO, and forces the MTA's further up the chain to deal with it. They shouldn't have accepted it in the first place! When you get spam, return 550 (or whatever the code is) and let the SMTP client deal with it. In an ideal world, ever provider (ISP, or free service like Yahoo) will implement stricter MTA's. If the spam rejection can be pushed far enough up the chain, life for everyone will easier.
BTW, according to Philip Hazel (a message I recieved to a question I posed on the Exim mailing list), Exim 4 will offer much more functionality along these lines, including the invocation of C funtions after the DATA phase of the SMTP input. I guess this would be the spot to plug in Vipul's Razor, although I don't know what kind performance hit that would lead to. Mr. Hazel also pointed out that some stupid clients are in contravention of the RFC and will continue to try and delivery a message if they recieved 5xx after the DATA phase... oh well: they'll be using my bandwidth but they won't be putting any crap on my server.
What stops the spammer from including a unique identifier in each e-mail (such as a count variable), changing the SHA for each e-mail that goes out?
Just a thought...
http://kered.org
I found a clever way to defeat most spam on the webpage of an avid cyclist; unfortunately I can't remember his name or enough information about him to run a Google search and give this method proper attribution. But here goes anyway:
The key to this method is to realize that most spam has a spoofed "To" address -- RARELY is it addressed directly to you. If you dig in the message headers, you'll usually found it was mailed (or CC'd) to a whole bunch of people at once, for obvious reasons. So you set up your mail filters thusly:
First, set up a filter allowing any "legal" mailing lists you're on to go to your Inbox.
Next, a filter to allow any mail sent directly to you (i.e. you@domain.com is in the To or CC lines) to go to your Inbox.
Finally, a filter that deletes everything else.
You'd be amazed how effective this is. Since setting this up, I only get maybe one spam message past this system every three or four months.
Mind you, I also have my email come in via Bigfoot, which has a pretty good spam filter itself. But this has nonetheless proven quite effective.
>> This wont work. All that will happen is that the spammers will just modify their spam programs to slightly modify each message they send out.
It will however require them to send each specific message separately rather than sending large cc's or using some sort of relay. That alone is a big step since right now most spammers can get away with sending a single email message and relying on an open relay to retransmit to a larger group.
Furthermore I have doubts that for the time being this project will concern spammers. Infact I am pretty sure spammers are not really interested in wasting their own time trying to spam people who consider spam a violation. It is more convenient to ignore those people (which is why they don't bother to check if you want spam or not before they send it to you).
DLG
This seems like it would be a great method for virus detection on a non-Windows machine. For those of you who run *nix mail servers which eventually filters down to Windows clients, having a mail tagged as viral would be nice to have it be immediately denied at the server. So I'm assuming all it would take is a smart admin to tag the email as spam, and then it will propagate around to the other servers (less than 1k would transfer!).
I spent the last few days hacking together a bulk mailer in perl. I did so with a lot of sensitivity and a bit of trepidation and a lot of social engineering to my employer who wanted to put together a way to send invitations to a party via email, rather than the very expensive snail mail method that we had been using.
This was emailed to our real customers - our 'A list'. These are the people who get invited to these parties each time - people who come and enjoy the food and drinks, no strings attached.
But, yet, technically, it *is* bulk email and this first time, unsolicited. A very large percentage of the people responded enthusiasticly that they want to remain on the list for this, but a few (8 out of 3500) asked to be removed from the list. One guy seemed annoyed and I typed him a personal apology. (In fact, I doubt that this guy read the email before sending off his remove request.)
What if that guy had submitted the email as spam to this system?
In that case, the rest would miss out on coming to a good party.
I hate spam as much as anyone on slashdot. I was asked to set up a bulk email and found that it could be done in a way that was not offensive in this case. Had it conflicted with my conscience, I would have refused.
Maybe the system needs some sort of moderation as a filter, too. At least that would allow valid bulk email to survive one trigger-happy end-user.
Ok, go ahead and tell me that I'm wrong in this...
Cheers,
Jim in Tokyo
-- My Weblog.
Well at least it *WILL* filter some of the bad content while leaving the good one clean, right now I receive 20 mails a day of spam in my hotmail inbox and the hotmail filter killed *VALID* messages! they keep junk for 2 weeks, I found that out 3 months later because my girlfriend posts would never reach me for the last few days.. and she's far from being a spammer.
:) ).
There's not perfect solution for spam (aside from killing every single individuals that dare spamming people, which unfortunately is still illegal
Legislation is too busy removing our civil rights right now than to make our lives better (as they should do). So right now, I'd say, ANY technology helping us to reduce spam should be welcomed and helped in a productive way instead of bashing on it without even giving it a try. It's an open project and it means that if you can contribute in a POSITIVE way, you should. Else, people, please don't discourage programmers working on something that could eventually come out as being a very good solution.
--- Metamoderating abusive downgraders since my 300th post.
Many such tricks can be defeated by only hashing words that appear in some standard dictionary and discarding all else, such that
gets reduced to LIVE NAKED DRESSED GIRLS before hashing. Even then, the smart thing to do is not to block matching mail but to blackhole the sources of matching mail, preferably permanently. Humanity's more basic problems are the inability to cope with the concept of a world without scarcity. Would that technology fix that instead of providing the powerful with more ways to create unnatural scarcity.-jhp
/. -- the Free Republic of technology.
Tom Geller
For the many /.ers who:
a. Use Outlook secretly
b. Receive loads of foreign spam
c. Don't know any foreign languages
d. Don't have any foreign friends
e. Don't have any friends
This Outlook rule is for you!
Apply this rule after the message arrives
with
Ô or ¾ or Ç or or É or ½ or Í or ò or Ë or ® or Ä or ã or Ï or Ö or Ô in the subject or body
delete it
and stop processing more rules.
This blocks 99% of foreign spam. Sue Mosher wrote about other effective methods for killing spam in Outlook. Finally, before you reply saying "You dummy, that filter works in any client!" -- You're right.
I receive about 40 spam messages in my mail account each day and I run my own mail server (qmail). Someone told me about a very basic spam stopping method. Just remove the mail-account for a couple of weeks and then reconnect it again, you should less or no spam after that period.
I receive too much real messages in order to try this out and I think most spammers won't bother to actuall remove an email address from their database if it doesn't exist. But has someone else tried this with any luck?
This p2p spam sounds really nice and I'm going to give it a try asap. I already "lost" an other mail-account in the flood of spam I got on it, so now it forwards all messages to msnbill@microsoft.com (microsoft domain billing address).
everytime spam gets mentioned on slashdot, someone says this, and everytime i respond with the work i've been doing-
pattern matching spam
uses word counts and phrase counts from known spam and known good mail to match against incoming mail. requires a certain amount of known spam/not spam, but otherwise it has a good rate of matching spam/not spam and doesn't require the incoming mail to at all known beforehand.
-f
www.blackant.net
I've been working on a similar project but using additional factors that help identify spam such as violations of the mail RFC's, and other header indicators, in addition to NLP. I have a prototype that I'm using to score all of my inbox e-mail and am using that to tune the weight factors and add in new factors as I encounter them. It would be interesting to combine your approach with mine I think, since I hadn't thought of analyzing trigrams.
Anyway, if you are interested send me an e-mail and I'll give you my current perl code.
LibBT: BitTorrent for C - small - fast - clean (Now Versio
Recently, though, SpamCop switched to a heuristic spam-filter, which is quite leaky. Not only does spam get through, messages from well-known viruses come through. It stops maybe half the spam now.
So SpamCop is now no more effective than typical procmail filters. So there's no point in paying for SpamCop service any more.
Anyone know of a good challenge/response alternative to SpamCop?
you can find some scripts here
http://www.lenny.com/spam
http://Lenny.com
4 great justice!
Some of you point out that Razor's use of SHA-1 signatures can be defeated by introducing randomness in the message. This is true; SHA-1 will eventually be phased out and replaced by a fuzzy hashing mechanism like nilsimsa in future. [http://lexx.shinn.net/cmeclax/nilsimsa.html] [http://www.geocrawler.com/archives/3/2539/2001/7/ 0/6173567/]
The protocol is structured to aid change of
hashing algorithms seamlessly, without breaking
the existing system.
Regarding the possibility of poisoning the database, we are working on a reputation system
that will assign credit to honest reporters.
Once we have a critical mass of users, it would
be hard for dishonest reporters to even join
the reporting network, much less be able to
mount a DOS attack.
Some of these issues have been discussed on the
razor-users mailing list. The list archives
are located at
[http://www.geocrawler.com/archives/3/2539/2001/]
best,
vipul.
Watch out! In some cases an 888 or 800 number can act like a 900 number - It can cost you money!
http://www.bbbsouthland.org/topic110.html
for more information.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.