The Growing Field Guide To Spam Techniques

Aneusomy writes "From Activestate: 'Compiled by Dr. John Graham-Cumming, a leading anti-spam researcher and member of the ActiveState Anti-Spam Task Force, the ActiveState Field Guide to Spam is a selection of the tricks spammers use to hide their messages from filters, providing examples taken from real-world spam messages.' The hope is that Activestate and others can contribute to continually expand this guide, so that anti-spam filters improve."

Re:"Tricks?"

[wiggys]

You miss the point comletely. Any reasonably normal intelligent human being can spot and delete spam - that's never been the issue. The point is that spam is annoying and can be very time consuming for a human to deal with, which is why computerised spam filters were created.

The first generation of spam filters were crude and simplistic - they would delete an email based on the sender, or maybe one or two key words. This isn't effective because spammers rarely use their own email addresses in the "Reply to" field, and deleting all email which contains the words "marketing" or "investment opportunity" is likely to delete legitimate email. Besides, spammers can easily get around this by altering words in such a way as to delete filters (V*I*A*G*R*A is easily read by a human but a computer looking for "viagra" and "viagara" would not stop it)

The best spam filters today use Bayesian filtering to eliminate spam: you train the filter by giving it a pile of email and telling it these are genuine, and another pile and saying these are spam. The filter then looks through the mail and gives certain words a weighting - if most spam contains big red letting with words like "investment", "click here to be removed" and "penis enlargement" then it would score highly and be given a higher probability of being marked spam. Email containing words with your name in it, or words relating to your life or work, would be given a higher probability of being called spam.

And for crying out loud, "spam" is not an acronym so stop writing it in upper case!

Getting worse

[BenjyD]

I've definitely noticed that my spamassassin filters are getting less effective. Six months ago, it was rare to see a spam that didn't get caught. Now maybe 10-20% get through.

As I use a sensible email client that doesn't render HTML by default, I can't even read the text of the spams anyway.

Re:Getting worse

[Ed+Avis]

Yes - it looks like the majority of the 'spammers' tricks' listed are silly HTML tricks. From the messages I receive, a good rule of thumb is that HTML format implies spamminess. It might be different if you regularly have to communicate with Outhouse users.

HTML rendering was added to Pine only fairly recently. Given the quantity of HTML spam out there, it might have been a mistake.

My approach

[gowen]

Bayesian filters are all well and good, and are -- for now -- effective. But given these tricks, the only really reliable approach I've found is IP blacklists for repeat offenders. If your machine is used to spam me, and my complaint letter is not answered in a satisfactory way (i.e. an email saying "We are sorry. The spammer has been cut off") I don't accept mail from you any more.

And if you're on ATTBI, or Comcast, or PBI.net, or BT Openworld, or Chello, or any number of large ISPs with too much tolerance for spammers, and you're not on my whitelist, I can't read your emails.

And I don't care. Get a ISP who don't shelter spammers.

Render the HTML then use OCR

[thelandp]

Here's a crazy idea... (but is it crazy enough?)

All of these spamming techniques seem to involve visual tricks, because the rendered HTML is viewed in a very different way to a human than the plain text would be seen by the filter. Things like zero-height fonts, or white-on-white text, or just using one big image etc. etc.

So how about this: I think every single one of these tricks would be defeated by using this process for filtering spam:

1. Render the html to an image (not on the screen, just behind the scenes)
2. Feed the image into OCR
3. Then scan the OCR text for spam

Sure OCR is not perfect, but since these techniques are imprecise already, maybe it would work well.

Although I guess processing power is a limiting factor, but maybe someday this will be worth doing.

Re:Render the HTML then use OCR

[hacker]

You could also just take the HTML, run it through a series of Perl modules (XML::LibXML, HTML::Lint, HTML::Clean, HTML::FormatText, etc.) and return just the textual representation of the content itself, and then scan/score that.

Doing so would then compress whitespace, remove colors, and basically un-SPAM the SPAM. I do this for web content, which I need re-rendered as text-based articles before they are sent to the client. It's about 12 lines of Perl, and can be easily stuffed into a SpamAssassin milter. If you want some working code, feel free to contact me (I'm also for hire, so I can do this as c custom gig for you or your company).

In fact, you could probably put a small function in your milter to just strip all HTML entirely, before the client ever sees it. There's no need to use OCR (and the overhead associated with it) to handle this, just turn the HTML back into text. It works with foreign, encoded, obfuscated entities, and should be no problem to correct before scoring.

insider help is the key.

[professorhojo]

i had a friend who recently turned to the dark side and now boasts that his circle of friends include the biggest spammers in the world.

and believe it or not, the biggest break these guys have had in the past year has been help from people on the "inside".

to give you an example, an ex-AOL employer has written them a little proggy for these guys to send messages that makes the AOL mailservers think that the mail originated on the inside of the network (which means that none of it is spam checked or filtered.)

their usual 10% deliverability to AOL.com suddenly went to 100%. make no mistake -- that was worth millions to 'em.

Spammers using the anti-spam tools

[dimer0]

I helped this lady out who had a 100% opt-in mailing list, but some people weren't getting their mailings... We came to find out the emails were being flagged as spam, so, I set up a dummy email account for her than took every inbound message, sent it through spamassassin (with verbose reports, etc) - and then sent the email back to her.

Now she can see if there's a problem with the headers, the content of the email, etc - so she tunes the email to get the lowest spamassassin score. (You know, the last major version of spamassassin took off points if you put your email client header as being Mozilla! Hah.. That one is gone now)..

This lady definitely isn't a spammer tho, just someone with a small mailing list of 100% opted-in people.

I'm sure spammers do the same thing. I would.

I noticed a new one recently

[AssFace]

It isn't that this new one that I saw was all that amazing an idea, I just hadn't seen it until recently. It is such an obvious idea that I don't know why I haven't seen it until more recently.

They send the mail as you. Fake the headers and make it look like it is from you. To you. From you.

I had our local setup here allowing in anything that was from our domain. Now I have to stop that.

I suppose the spammers saw that people were allowing their own domains and set it up that way.

On a side note and not all that related, I've noticed that I am getting (about once a week) an e-mail from a bank - citibank, or wells fargo, telling me that my loan application has not been approved, see details attached.
Now, I haven't been applying for loans, and the file attached is a *.pif file... which are notorious for being viruses, and not a format that a bank will send you.
Not to mention that looking at the headers, they usually come from attbi.com which is cable modems, and I have seen through Compuserve as well - which aren't exactly how banks usually do business.

But does it need to be perfect?

[JanneM]

I have on occasion misclassified mail myself, both ways. A few spams (uncolicited bulk emails) have been full enough of content that I have found interesting that I only after reading it realized this was not from anybody I knew. Conversely, I have a couple of times received mail which was for me , and was genuine, but so poorly formatted (lots of obnoxious html, strange subject and so on) that I deleted it as spam and only later came to understand it was a serious message.

The point is, not even I can do spam classification 100% correctly. It would be a tall order indeed to have an automated tool do it. But does this matter? There are two issues: discarded genuine mail, and non-caught spam.

Discarded genuine mail is not really as big a problem as people make it out to be. Mail is inherently not guaranteed; messages do fall between the cracks now and again. Swallowed by a buggy server, lost in limbo as a network connection goes down, never having a chance due to a misspelt or obsolete address, sent on a wild goose chase due to a temporary DNS error. Mail do disappear. Everybody knows that - or should know. Mistaking a mail for spam is just another crack for it to fall into. As long as the rate is low there really is no problem. And those doing mail that can easily be mistaken for spam will wise up eventually, as they see a disproprtionate amount of their email get lost in the ether.

Missing spam is no real problem either. The big issue is having fifty spam in your inbox every morning, with another fifty arriving during the day. Having one or two a day, on the other hand, is not that painful.

The point is, it is not a binary system: A spam system that misses two spams a day is better than one that misses five, and vastly better than having no system at all. Similarily, one that classifies one genuine message out of a thousand as spam is no disaster. Not good, but not a reason to shut it all down either. If reliability is _that_ important, what are you doing using email in the first place?

Filtering isn't perfect. It won't ever be perfect. That's quite alright. Saying a technique is worthless because it makes an occasional mistake is throwing out the baby with the bathwater.

TMDA

[TheSync]

After a while, SpamAssasin's false negatives and positives drove me to the Tagged Message Delivery Agent (TMDA).

TMDA has flexible whitelist and blacklist capabilities. But the big win is that it can be set to autoreply to anyone not on the whitelist, and require them to reply back before allowing the email to get through. Of course, very few spammers have valid return email addresses...

This may seem drastic, but in fact it has made life soooo much easier. It also helps you to "automagically" get off those email lists you signed up for a long time ago, don't really care about, and are too lazy (or lost the info) to sign yourself off ;)

The only sad thing is that no longer do Russian women want to extend my length or give me free money or viagra, and I am no longer in contact with Ms. Sesse Seiko from Uganda...

The key difference.

[alistair]

The key difference is that KMail does this on a per message basis, whereas in Mozilla this is set once in Preferences and I suspect the same is true in Evolution. Thus looking at a HTML message I just received I get the following in a box at the top of the message;

"Note: This is an HTML message. For security reasons, only the raw HTML code is shown. If you trust the sender of this message then you can activate formatted HTML display for this message by clicking here."

The HTML code follows and a single click turns it into a fully rendered message, or an alternate click consignes it to the trash can.

It may be possible to add this as a mozilla mail / thunderbird toolbar, and as Thunderbird takes off I hope we will see this type of quick prefs bar develop to the same extent they have been developed for the mozilla browser component.

metaphone mapping text

[joeldg]

You can use the metaphone algorithm (I use PHP so, http://us3.php.net/manual/en/function.metaphone.ph p) which has come in handy.. Just strip all HTML and de-urlencode then run this on the msg, it totally ignores numbers and punctuation and any letters that are not in (a-z A-Z). You will need to have a database pre-made full of metaphone values from a dictionary then start a comparision and you can get a general feel for the msg.

I took all the words used in a product called spamassassin and used that to do a comparison.. Coupled with bayes filtering I imagine this would be pretty much the best way to filter mail.

It is kind of an interesting approach based on what mail "sounds" like vs what it actually contains.. If you filter on the straight contents these guys will just keep coming up with different ways of encoding and generally being twitchy.

However, their mail will *always* have that "buy this!" kind of sound.

I built a system a while back that was processing all double bounces from three servers and handled around 50k/day spams and came up with some interesting results.

If anyone is interested I'll dig up the code and place it on my site with the rest of the stuff there.

Re:No, no, no... look at this another way

[Urchlay]

> One final piece to the solution is to get ISPs to act responsibly, and block egress traffic on port 25 for dynamic IP addresses

Some ISPs do this already.

<rant topicality="50%">
That'd be fine, if said ISPs would allow their users to relay mail from addresses other than $user@isp.com... but for various reasons (commercial? political?), they don't.

In other words, I can't send mail via my $50/mo. cable modem at all, unless I want to use the account assigned to me by my ISP (and sold to spammers, no doubt). I prefer to use an address at a domain I personally have registered and for which I personally control the SMTP server. For one thing, my ISP may change: I may decide to get DSL instead of cable, or I may move to an area served by a different cable ISP, or (this has happened to me recently) my cable provider may get bought out by another company, and change the domain name... or any number of other things... but my domain and my SMTP server won't change, so nobody even has to care what ISP I use, and I don't lose legitimate mail due to the address changing.

Unfortunately, my ISP, in its attempt to stop me from sending spam, has restricted me to using only their SMTP server (blocked egress on TCP port 25, as suggested by the parent), but will not allow me to send mail via their own SMTP server using my own (valid) email address (which I do not wish to use for reasons already explained)...

The only solutions here are some sort of VPN to the network where my SMTP server lives (at work), or else ssh to the SMTP server (which is what I actually do, but it's inconvenient).

I've offered to pay my ISP for `business class' cable service, but they *don't offer it*. I've attempted to get DSL, but am too far away from the CO. I'd love to have a choice of ISPs in my area, but cable companies are local monopolies in the country where I live... and thanks to the shakedown in the market, they're getting to be multi-state monopolies. I'd have to move *many* miles before I could get cable internet service from a different provider.

I'm not claiming anyone's deliberately conspiring to limit my (or anyone else's) freedoms. I guess what this boils down to is that so many people have pissed in the pool that we've now got on-duty cops as lifeguards... sorry, that's a rotten analogy, best I can do at the moment.
</rant>

OK, I feel better now, sorry about that.