Slashdot Mirror
The Next Step In Spam Filtering
simeonbeta2 writes "Paul Graham (of "A Plan for Spam" fame) has a couple of new articles up. The first one details the success of Bayesian spam filters despite various circumvention techniques by spammers. While the success of Bayesian spam filtering is encouraging, it certainly hasn't seemed to stem the flow of spam in the last year or so.
His second article, however, suggests finally taking the anti-spam battle to the spammers!
Paul proposes that spam filtering packages automatically spider links contained in probable spam.
Not only will this increase the accuracy of filters (by running the retrieved content through the spam filter as well) but this would effectively be a massive distributed DOS attack on spammers.
This isn't a new idea nor is it without its problems but I think it's definitely an idea whose time has come."
We've seen first hand how the early Bayesian filters were circumvented. Remember the images instead of text, then the HTML Entities (like A instead of the letter 'A')? The second and third generations of the Bayesian filters had to account for them. I can just see how a DoS filter would be circumvented early: redirects and browser scripts.
If a filter spiders a spam, all the spammer needs to do is use a redirect or, for smart filters, a small page with javascript that the browser would understand, but would confuse the filter. So yes, the DoS would work at first, but the spammers would realize what was going on and adapt.
I'm sure meta refresh tags would work in the beginning, but it's simple enough to get a filter to look for those. Eventually, a good filter will have to mimic what the browser does very closely. Maybe it'd be better to actually use a browser that the user can't see.
A programmer is a machine for converting coffee into code.
I think we're on the right track with fining people large amounts of money for being associated with the spam. If you not only go after the people who send the spam, but the people whose products are being advertised, then I think we'll get some results.
Congratulations, Slashdot editors, this is a dupe.
0 6&mode=thread&tid=111&tid=126. Anybody there?
And I'm a subscriber.
And I emailed you before it was posted saying it was a dupe of this story: http://slashdot.org/article.pl?sid=03/08/10/16192
John.
Then all I need to do to launch a DoS attack is send a piece of spam?
Feel free to read the comments from when this article was posted to slashdot in August.
Imagine a Joe-Job where an EvilDoer wants to knock someone else offline and sends out bogus spam with the victim's website.. Think before you jump.
Trolling is a art,
Having every recipient spider the links in the spam they get will not only make spamming inefficient, but web browsing as well. Enough with anti-spam cures that are worse than the disease -- the last almost killed SomethingAwful, and this might knock off the rest of the websites.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
What about the case where the spammer puts a uniquely identifier into the URL. Sure, he may not get a sale from the clickthrough, but he gets verification that your e-mail address is good.
Then, you get more spam.
--You will rephrase your request for me to go to hell. Goto statements are not acceptable programming constructs
Are these subject lines anti Bayesian filters? Just curious cause they've been getting weird lately..
x ep Pharmaceuticals including Valiumm, prozac, aAmbientforth mw
Xanax_-_No_Prescription_Needed_-_neonatal
Kuas
Enter to win free cigarettes pedant
Fight Aging and Skin Cancer Xpxtdp
Bigger Penis is Better betsy
I'm just curious why my spam lately seems to just have weird random junk in the subject line, I actually find it sort of amusing because some of the randomness reminds me of turetL}...yndrome.
Correct, clickable link here: Boston Globe
Malicious virus and trojan authors spend a lot of time and energy writing code that can infect host machines across the internet and wait for incoming instructions to launch a DDOS attack against a target.
And there is actually a proposal for people to voluntarily install this on their machines? And the trigger is simply an email?
Sick of yahoo.com today? Take them down -- just spam the net with junk mail that points their site. Have a vendetta against a guy that hosts his own email over a DSL line? No problem -- you won't even need to spam that many people before their auto-crawling DDOS boxes take his server down.
Yikes.
This woman at my wife's work got an email where they were selling Photoshop for $40. Quite the bargain, eh? So of course she went and got the director of the company's credit card # and went ahead and ordered it. Amazingly enough, five months later, Photoshop still hasn't come in the mail.
So, in answer to your questions, stupid people make it worth while, and there's no shortage of those.
slashdot, news for crazed liberal socialist zealots
"I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
coming up with a solution for stupid people would solve a lot more problems then just spam...
ender-iii
the filter points people to my captcha, which is here and they have to type in "I am not a spammer" and then the letters in the graphic.
The problem with your approach and with any approach that uses a CAPTCHA is that it provides no way for a visually impaired human being to first-contact you. If you use a CAPTCHA, you can't do business with the U.S. government.
Will I retire or break 10K?
Legislation is working, albeit slowly.
What is required is that we start fining the companies being spamvertised.
This will force companies to assess who they deal with and make damn sure they understand that they are responsible for this just as much as the spammer (they are the ones that ultimately benefit and therefore pay the spammers).
This would only work however if you could prove a legitimate relationship exists between the spammer being sued and the company. With sufficient resources and investigation this is not as hard as it sounds.
If a company is joe-jobbed in someway, then the spamvertised company shouldn't be targeted unless you can catch the spammer as well and prove that a relationship exists between the two entities. You are then just working up chain, similarly to how cops catch street dealers and work their way up.
Regardless, there are many ways joe-jobbing could be resolved. This is just one idea.
What would eventually happen (through smart legislation) is that it will force spammers to use servers in other countries where it is legal.
This is where blacklists will become most effective then. Business and individuals in these countries will create a public outcry so large that legislation will have to change. And if legislation doesn't change, they still remain blacklisted.
This would stop a significant portion of spam.
The rest (abused networks, open relays) should be be made liable and culpable for spamming. A few well aimed lawsuits against companies with negligent system administrators or people running dedicated servers should get the point across. I have no sympathy for Joe Blow with Winbloze 95 who has no firewall software, no anti virus software, has no idea what a patch is, and expects the ISP to take care of it all for him. And they are just as liable.
We don't let people drive without a license, it should be the same principle with users on the Internet - because there are very real and sometimes drastic consequences of their actions (or lack thereof). It is already in the T's & C's of every AUP for every ISP that the end user is responsible for their actions under their account. It's time that ISPs and the courts *SERIOUSLY* enforce it!!
Replace the email system with a system that makes sending forged email non-trivial.
.cn, .kr or .br . These seem to be the big three right now. Unfortunately I'm using a web-based email solution so I can't implement any of this.
I may still wish to accept anonymous emails, but nothing that contains HTML for sure, and maybe only if I can cause the sender 1 cent of damage (maybe by depleting some anonymous fund - for most people paying 1 dollar as a deposit will last forever, spammers would have a dollar disappear in seconds as 100 people mark it as spam and a cent is claimed each time).
In the meantime, seriously, I'd be happy with bouncing each message containing HTML+links, links by IP addresses, or links to domains registered in
If only we could convince lawmakers to pass actual anti-spam laws, it would be a nice stop-gap solution.
Specifically, we need a way to go not after the anonymous spammer, but after the business being spammed.
What if anybody receiving a spamvertisement for a product could order it, pay with a credit card (up to $500), then present the spam, keep the product and not be required to pay the credit card company?
Just an example, I know that would not work in practice.