Paul Graham: Filters that Fight Back

Mortimer.CA writes "Paul Graham is back with another article about combating spam. It's entitled Filters that Fight Back: 'One intriguing idea is to literally fight back: to make filters disable spammers' servers by automatically following all the links in each incoming email. We may be driven to this in order to achieve accurate filtering anyway. Why wait?' One danger is someone doing a DDoS by sending fake spam."

response to the lister's comment

[ih8apple]

In response to the comment: "One danger is someone doing a DDoS by sending fake spam"

From the article notes: "[5] The best way to protect against abuse might be to have the central authority whitelist every site by default, and then, by whatever protocol, take certain sites off. Because you can look at the sites before taking them off the whitelist, there is little danger of people abusing this system to attack an innocent site."

Comparison of Bayesian spam filters

[kreide33]

I recently switched from a keyword-based spam filter to a bayesian filter. However, there exists several bayesian filter projects and the choice of which to use is not obvious. Therefore, I decided to do an actual test and write up my findings in a review so others can benefit as well. Read it and find out how to win the War on spam.

Re:Do they really care?

You can have a domain/subdomain with no A records or MX records and they will keep trying. You can also have nothing but blackhole MXs - hosts that don't exist, but are on routable networks. I've had a domain since 1994, and it was in one of the above states for about 2-3 years.

Last month I put a real MX record in there and pointed it at box that's running a mail server. Sure enough, the spam flows continuously. It's not just the "make up random shit and put @aol.com" idiots either - the big outfits with permanent networks and domains are mailing it too.

I've taught my mail server to quarantine any host that attempts to mail my long-dead domain, so having it go to a routable address is actually useful again. Every attempt they make ruins another open proxy or relay for every other spammer that may find it later.

You might consider using those "never valid/previous owner" accounts as spam traps. Anything coming to them now is obviously worthless, so why not make them suffer for trying?

DDoS with IFRAMEs

[The+Famous+Brett+Wat]

The problems with spam-based DDoS are bad enough already. Many HTML mail readers honour IFRAME tags, so if you want to DDoS someone, then just combine a Joe Job (fake their identity, advertise their site) with an HTML mail that contains N IFRAMEs, each set to be one pixel high and refer to a large page on the victim's site. Anyone who reads the spam in an uncautious HTML-capable mail client (of which there are still way too many) will subsequently attempt to fetch the specified page N times, unless you're lucky with intermediate caching proxies or the user hitting the stop button.

Such an attack on Nutters.org forced me to stop doing my own hosting on a DSL line, since it got utterly swamped and cost way too much in bandwidth. Amusingly, it has forced me into using a much cheaper and higher bandwidth service -- one where such attacks are no longer my problem. The rules of the game have changed for me, though: I no longer consider it viable to host a website on a low-bandwidth leaf node like a single DSL, even where normal usage would make it seem acceptable, since it makes you a sitting duck for this kind of attack. I still can't imagine why anyone would want to target Nutters.org; being small and unworthy of attack doesn't seem to be a good defense anymore.

New Spamming Technique : Trickle Spam.

[androse]

I'm all for the idea, and as a matter of fact, I suggested it a couple of months ago.

If individual spam victims start repetitively downloading the spammers website, this could bring the spammer to change the way he sends spam from the current big bang technique to a small continuous trickle technique. The spammer would send a single spam over several weeks, in stead of a few hours. He would parallelize the process.

I see two possible counter-attacks to this :

• content-based blacklisting (like Vilpul Razor, etc), i.e a central database of links that are currently being used in spam.
• high aggressivity from the victims : if everyone loads the URI 50, 100, or 300 times, then the "trickle method" would probably fail. You should of course change the HTTP User Agent string for each request, and randomize the timing to stop any filtering on the web server.

Feel the rage !