Security Predictions of 2004

scubacuda writes "Computer World's security predictions for 2004: R.a..n,d,o.,m p,u,,n,c.t,,u_a.t.1..0.n evading spam filters, Internet access filtering, better desktop management, enterprise personal firewall deployment, tools that securely scrub metadata, corporate policies against USB flash drives, Wi-Fi break-ins, Bluetooth abuses, cell phone hacking, centralized control over IM, public utility breakin publicized, government defense against cybercriminals, organized cybercrime, and a shorter time to exploitation."

Nearly impossible?

[n0nsensical]

R.a..n,d,o.,m p,u,,n,c.t,,u_a.t.1..0.n makes it nearly impossible to block spam messages by filtering keywords.

Can't the spam filters just remove it all? They don't really need the punctuation to check for Viagra advertisements anyway.

Re:Nearly impossible?

[jcuervo]

My filter just checked for excessive punctuation.

\w[();\[\]:]\w

Re:Nearly impossible?

[Stinky+Glen20]

I agree - We chatted about something similar in our office the other day.

If the spelling and grammar of the email were to be checked and weighted as part of the filtering process you'd get around a lot of the deliberate misspelling of words.

Re:Nearly impossible?

[wiggys]

I already get some spam with random puncutation yet PopFile still manages to classify it as spam.

Why? Because it knows which combination of words, used together make it more likely the mails are for me, eg spammers only have my email address, they do not know my name... therefore any emails containing either my first name or surname (or better still, both together, will make PopFile flag the message up as "high probability non-spam mail". Of course it looks for other clues.

Anyway, if spammers do find a way to circumvent my filters (and at the moment I'm filtering spam with 99.62% accuracy) then my filtering software will be updated and will check for stupid punctuation tricks.

Re:Nearly impossible?

[miu]

Why not filter out spam by anything with > 3 periods, and/or commas?

What seems slightly more workable is to ignore punctuation in the subject when checking for 'spam' words. This would fit more in line with the extremely naive filtering available to Outlook users.

Going simply by punctuation density could cause a lot of false positives based on acronyms and ellipses.

Re:Nearly impossible?

[arvindn]

If you need to keep changing your filter, the spammers have already won.

It doesn't matter to the spammers if the user's filter can be trivially modified to filter out the spam. If they can get past the currently used filters, that's enough. If they keep doing this constantly, it will mean that users will have to constantly upgrade their spam filters. Many people will get tired after a while and just give up :(

Re:Nearly impossible?

[miu]

If you need to keep changing your filter, the spammers have already won.

If you are stating that Outlook client pass/fail filters are bad because (among other flaws) they need constant updating, then you are preaching to the choir. Until Exchange gets a good scoring filter, it makes sense to at least improve the flawed tools that are available to most corporate users.

Re:Nearly impossible?

[stevey]

My solution to the punctuation and l33t-speak type spams is simply to run the incoming message through a spell checker.

Whilst lots of people make typos and use words not in my dictionary it does become obvious when the spelt-wrong/spelt-correctly ratio is high that it's likely spam.

Re:Nearly impossible?

[Ewan]

No, because in another part of the same email they have an image embedded which contains the real spam message - outlook express users (the huge majority) see the image not the text.

Ewan

Re:Nearly impossible?

[Jjeff1]

Folks looking for a decent spam filter should check out ASSP. It's a SMTP proxy written in perl. I've got it up and running on my MS Exchange server, but apparently it supports virtually any platform that supports Perl. It has a good web based interface that makes configuration a snap.

Re:Nearly impossible?

[Karl+Cocknozzle]

Until Exchange gets a good scoring filter, it makes sense to at least improve the flawed tools that are available to most corporate users.

I think that's about the only way my company would ever start spam-filtering in earnest: If Microsoft created an "official" (probably easily circumvented) server-side spam filter. It might still be a fight, even then.

Our "uber"-engineers and PHBs fear these server-side tools... They're afraid we'll get a false positive on the CEO's mailbox that will end up with the company losing money--and all of us losing our jobs. And maybe that could conceivably happen... But the sky could fall tomorrow, too. (This is also a good argument for a TEST ENVIRONMENT, a suggestion of mine that gets laughed down every time I bring it up.)

Of course, I keep trying to explain to them that very few legitimate customers use the phrase "increase you girth!" in legit business e-mails... But to no avail. As a result, EVERYBODY gets spam-bombed... You see, we finance student loans... And many people grow to loathe the organization that services their loans. We're the ones who send the bills. When they don't get paid, we're the ones who call to ask "Where's the money, doofus?" So you can imagine that our "Customer Service" e-mail addys have been added to every porno/spambag list there is.

Re:Nearly impossible?

[BalloonMan]

If you need to keep changing your filter, the spammers have already won.

Nonsense, if you [need to] keep changing your filter, the spammers need to keep changing their tricks, too. At worst, this situation is a stalemate. When you get to the point where you no longer try to avoid the spam, then the spammers have won.

In an unrestricted e-mail world, this will simply remain as a little competive ecosystem. Plenty of lesser spammers will be caught by your existing filters, just like your body rejects the old germs you've already been exposed to. Sometimes, new germs come along and trigger a fresh immune reaction, and you need a little time to adjust, but at least you don't have to actively fend off every existing bug all the time. And your experience with a new germ can be input for a vaccine that will protect others in advance. Your (or somebody else's) experience with new spam tricks has the same potential communal benefit. The spam filters are improved, the updates are broadcast, and you might never notice the uptick in the ongoing state of spam warfare.

Re:Nearly impossible?

[LnxAddct]

Yes, there is something wrong with it...you don't know everyone who will email you and you don't know when. You can't tell mailing lists to add "a magic password" and making another account just for mailing lists will be inconvenient and probably be filled with spam. If you hand out business cards with your email or post it on a private forum to get responses there is no way to whitelist everyone who will email you. You can't ask someone for their email address everytime you hand out your business card and adding a little line to the bottom saying "Add this when you email me" will take up alot of the space on the card and be very unprofessional. The list could go on.
Regards,
Steve

Re:Nearly impossible?

[shadowcabbit]

Maybe I'm just being speculatively retarded here, but how difficult would it be to code an anti-spam agent bot? This bot would run on one machine somewhere, doesn't matter where, and monitor your POP3/IMAP/whatever account(s) every x minutes (let's say 30). At that time, the bot reads all the mail in the inbox, use a bayes filter/rules/whatever to determine spam, and sort/delete messages accordingly? Seems like an interesting solution, and it would be platform- and client-independent since the email client doesn't have to do anything besides collect what's left over. Feel free to flame me if this has been done before or is simply a stupid idea, but I think it might work. Hell, you could probably code it in VBasicrap if you knew the protocols necessary.

Re:Nearly impossible?

[borisbfurry]

I got a random punctuation spam the other day. One line read like this: Guar,anteed 1.00% effecti;ve! Needless to say, my confidence in the product was not very high

Re:Nearly impossible?

What I would like to see is a spell chacker in spamassassin.

See, what is exactly why it wouldn't work. I wouldn't get any mail from you or my good-for-nothing brother-in-law.

Never mind, I'll get coding immediately. Thanks for the suggestion!

Re:Nearly impossible?

[Uggy]

ispell -l < some_email

gives you a list of the misspelled word. You could fiddle with the capitalization rules for things like DNS, DHCP, TCP/IP etc. to lower your false positives.

We could wrap that into spamd and generate a weighted score. Problems would be speed of course as ispell would have to start up each time to check an email (is there a daemon mode for ispell or aspell?)

Anyway, I ran it on a bunch of aforementioned spam and it gives convincing results.

Of course, slashdotters would probably rate a lot of false positives, so maybe we shouldn't push this until we better our spelling.

Re:Nearly impossible?

[mengel]

We just need to fix our Bayesian fitlers; to wit

• count runs of punctuation as tokens
• run a normal pass, then
• de-html-tag the text
• map "w,.o..r!#d_=s" into "words" (de-punctuate)
• run a second pass
• use individual words *and* pairs of adjacent words in the statistics database

Then we'll get even better filtering, and foil about 90% of the current techniques.

Of course, then the spammers will start poking around for new techniques... But these are really easy to fix.

Random Punctuation in spam

[91degrees]

This is a good thing. It makes it harder for the victims to read, and gives a lot of anomolies that any modern statistical filter will find extremely useful.

Wow. They must have crystal balls.

[dorward]

OK... so they predict...

More Of The Same!

Astounding.

Remind you of something?.

Re:Wow. They must have crystal balls.

[arvindn]

Look at the bright side.

For the first time, slashdot has done a "predictions for 2004" story that doesn't have the word "SCO".

Re: Wow. They must have crystal balls.

[Black+Parrot]

> OK... so they predict... More Of The Same!

Naturally, 'cause it would take brass balls to predict something different!

Re:Wow. They must have crystal balls.

[FuzzyBad-Mofo]

Until now..

randomness and other things

[CAIMLAS]

That random punctuation stuff is more difficult to read than 1337speak, and will continue to be: leetspeak, at least, has a fairly broad group of people that -want- to understand it and use it conversationally, and thus its more understood.

At any rate, I doubt such punctuation will be a problem. I've already seen a good deal of it get killed with bayesian filters anyway.

The other things though - very interesting. It's not like we can't predict these things ourselves, though - it's only a mattre of time before they happen, what with the increasingly dense levels of tech in our society.

Being the thrill-seeking geek that I am, the prospect alone of bluetooth hacking (wartoothing? :P) sends an adrenaline rush through me. I look forward to dealing with such attacks (either preventatively, directly, or for clients, etc.) - seriously. It's exciting stuff.

I can see there being a definate increase in the need for serious, intelligent, and knowledgeable computer security staff; they'll likely start supplanting what's left of IT staff, as well as replacing some of the positions that were dumped in the last several years. After IS? Who knows. Maybe we'll be batteries by then, or maybe fighting the machines.

Spam Spam Defeatable Spam

[dorward]

Spam operators are getting more creative in their efforts to get around spam filters. R.a..n,d,o.,m p,u,,n,c.t,,u_a.t.1..0.n makes it nearly impossible to block spam messages by filtering keywords.

It doesn't take very much CPU to s/\W//g

Operators are changing to graphics interchange format images with no searchable text.

Yeah! Block all email containing only graphics!

Some spammers send in encoded formats, like Base64, to circumvent keyword filters altogether,

Base64 isn't hard to decode... or to just bin.

and relay through IP addresses that have no Domain Name System domains associated with them.

I've never seen an email with an IP address based URI that wasn't spam. Trash em

These recent developments are challenging spam-filter vendors and frustrating users.

Not this user, or this user's spam filter. Spams using these techniques get the highest spam scores and when 5 is worthy of trashing, 35 is worthy of laughing at (at least until I get so much spam I'll put it in /dev/null rather then ~/mail/spam)

Re:Spam Spam Defeatable Spam

[dorward]

Your whole post makes it sound like it's easy. If it were easy, we would stop a lot more spam.

In my experience, it is. I can't remember the last time I got a false positive or negative, and I haven't even bothered training the bayesian filter.

Maybe I just get targetted by clueless spammers, but spam is not a major problem for me.

Spammers are always going to keep ahead of the curve if they can, and as long as they're making money, they will continue to increase volume

Spammers make money becuase most people don't run spam filters, and some people are clueless enough to do what the spammer wants.

While the spam might be increasing, I don't see it until I go and look in my spamtrap Maildir, and I don't expect that to change any time soon.

Re:Spam Spam Defeatable Spam

[the+uNF+cola]

It doesn't take very much CPU to s/\W//g

tr/\W//d is faster if that's perl :)

Re:Spam Spam Defeatable Spam

[Jugalator]

According to SpamAssassin's default scores, these are all adding up to the spam score that apply to the examples above to "challenge spam filters":

- Message text disguised using base64 encoding
- Uses a numeric IP address in URL
- Uses a dotted-decimal IP address in URL
- HTML has over 9 kilopixels of images
- HTML: images with 0-200 bytes of words
- HTML has a low ratio of text to image area
- The score from a bayesian filter, which would probably quickly increase for messages with tons of punctuation and still leave legit mail since you normally don't use tons of punctuation.

Spam operators might get more creative, but I still think spam removal tools are several steps ahead.

Re:Spam Spam Defeatable Spam

[----]

I run spamassassin too.

I get 30-120 spam a day. (old account).

Checking with my spamassassin filter, I see that it's bayesian filter is happy with 1,868,996 pieces of spam, and 386 pieces of ham (the good stuff, stuff I want to keep).

I get maybe 1 spam thru to my normal inbox a month. Which I happily feed to the sa-learn tool (spamassassin's bayesian learning tool).

I don't need any wacky products installed in my email client (which I change often).
I access my email via imap over ssl.
I use mozilla mail mostly, but have used mutt, outlook, pine, outlook express, kmail, and a large amount of others (that I've forgotten about now), all with spamassassin running happily on the mail server churning thru all incoming email.

our mail server handles 4000-10,000 pieces of email a day for all our accounts, and spamassassin barely registers as a 'blip' on our cpu usage radar.

It's really sweet.

Oh yeah, I've had only 1 false positive, and it was due to a wise-ass friend that decided to send a piece of conversational email disguised as spam from a new email address. /* ---- */

Re:Spam Spam Defeatable Spam

[Eivind]

But that's not needed.

To a Bayesian filter such "cleverness" is even more damning than just stating plain-out what you want to say.

Probably my legitimate mail *seldom* talks about "viagra" or "refinancing", but the rarity of those words in my mail is nothing agains the unlikeliness that I'd write "v1@gr@" or "r3f|n@nc|ng".

In other words, such clever tricks migth work. Once.

Re:Spam Spam Defeatable Spam

[WuphonsReach]

I would say a collaborative voting-style filter would work well inside of a small organization or department (less then 50 people as a rough guess). Maybe not everyone in the group of users, but most could be trained to do the Junk/Not-Junk thing.

Beyond 50 people, however and I would think that what is spam/ham would start to rapidly diverge. Accounting folks have different e-mail then the customer service reps who get different e-mail from the programmers.

Plus, doing it at a workgroup / small organization level mitigates some of the issues of how trustworthy is the database. A rogue user can't do much damage (only affecting a handful of other people) and they would be quickly found out. But at least there would be some shared-knowledge about what is ham/spam which would reduce the amount of work for the rest of the group.

Re:Spam Spam Defeatable Spam

[stormpunk]

That's faster because it didn't delete what you wanted.

From the perlop manpage:
Note that tr does not do regular expression character classes such as \d or [:lower:].

Also, do you really want to delete *all* white space too?

Spamassassin does a good job of catching spammers by their horrible imitation headers too, which I'm sure they will continue identify themselves by.

Don't put your email address online

[arvindn]

Stop spam at the source, stupid!

Don't put your email address online, period. Other solutions like filters only address part of the problem, because you still have to pay for the bandwidth and there's the problem of false positives. I wrote a little Javascript Turing email obfuscator, which prevents renders your email address invisible to bots, even those that can execute javascript.

An ounce of prevention...

Re:Don't put your email address online

[wiggys]

>Don't put your email address online, period

That's like saying "Don't go out after 9pm or you deserve to get beaten/raped".

Sorry, but my instincts are to fight the spamming bastards rather than give in to them.

Re:Don't put your email address online

[dorward]

Don't put your email address online, period. Other solutions like filters only address part of the problem, because you still have to pay for the bandwidth and there's the problem of false positives. I wrote a little Javascript Turing email obfuscator, which prevents renders your email address invisible to bots, even those that can execute javascript.

It comes down to a choice:

• Get less spam
• Make it harder for people to contact you

I don't want to put barriers in people's ways when they wish to contact me (OK, sometimes I do - 'No I will not fix your computer! I don't even know you!' - but generally I don't). Making people use a JavaScript enabled web browser AND answer a question is a barrier, and I don't want it.

Re:Don't put your email address online

[azaris]

I wrote a little Javascript Turing email obfuscator, which prevents renders your email address invisible to bots, even those that can execute javascript.

That only works for people who think that sending you e-mail is such an enormous honor that they're willing to jump through flaming hoops backwards to accomplish it. The first spammer that's desperate enough to "decrypt" your e-mail address will add it to an address list and that's the end of that chapter.

Ever notice how entities that erect all sorts of extraneous barriers to communicating with them tend to get your blood boiling? I call it the "you must fax us this form in triplicate with a notarized form and a copy of your driver's license during office hours in Burma on the third tuesday of April during a leap year that doesn't have the number six in it"-syndrome.

Desktop management

[Zog+The+Undeniable]

My experince since we changed from Windows 3.1 to NT and now 2000 is that the few cases where users screwed up their PCs have been outweighed by the constant demands for an engineer visit to carry out a trivial task using the admin password. And no-one can defrag their hard disks. Ever.

Re:Desktop management

[pe1chl]

That means you (or the admins) have not yet fully understood how they can manage desktop systems.
This is understandable. There is a lot to read.
But in the end it will be possible to protect the systems against the user (somewhat) and still be able to manage them, even defragment.

So keep on studying!

Re:Desktop management

[danheskett]

And I thought the main selling point of Windows was that it was easy enough that any baboon could install/user/administer it.
It is massively easy to admin a large number of similiar Windows machines.

As a part time thing, for charity, I admin a largish network for a non-profit in New England. Something like ~150 desktop PCs - running Win2k and WinXP and 3 Win2k Servers.

I do it all remotely, in about ~45 minutes or so weekly. When they need a new PC they get it straight from Dell, plug it in, and after a very simple operation (which, granted, required me writing out detailed instructions with pictures and lots of hand-holding), the PC is in the network. After a quick reboot, all the software is configured, printers configured, network access configured, and any of the 175 users can log in and experience the same consistent environment.

Patching machines is virtually painless, virus/trojans/spyware never gets through, e-mail is rock-solid, machines don't crash unless it's a hardware failure (quite common with Dell sadly..), the machines are locked down and unable to be user-f'd, and things are generally smooth.

They used to have a full-time fully-clueless IT guy. He went to a different career, and I took over a few years ago. After a single weekend of re-engineering I can say that the network operates without any trouble. The users are happy, things are reliable, all major maintenance is automated and scripted, and things *just work*.

Honestly, it all depends on the person. I've known networks with really bad UNIX-ish admins where nothing working, machines, crashed non-stop, etc etc. Same with Windows.

Don't mean to be immodest, but really, it just takes someone with a good grasp of IT and some Windows skills. My one power user on-site handles some of the hands-on stuff (unjamming printers, unpacking new PCs, changing backup tapes, etc).

Anyways... in this case, Linux would work except for about ~6 or so critical apps that are Windows-only. Bummer.

Forget the flash drives... think USB HARD DRIVES

[Neo-Rio-101]

I use a 2.5" 20GB USB hard drive when I move between branch offices for work as it carries all my data and stuff with me. I also use my HD as a kind of FTP directory when I want to install client software across a server network.

Come to think of it, there's nothing to stop somebody with one of these Hard drives from importing and exporting several CDs worth of data on it, and importing all kinds of strange software or even CD-copying software into the workplace to make nice CD ISO images or even whole drive dumps of code that should not be freely distributed.

The USB hard disk is probably way more risky than a flash drive, because 512MB while it can still hold a lot of info, is still expensive and is limited by its size.

What I encountered yesterday

[quigonn]

Spammers actually seem to try defeating bayesian spam filters by "training" them with random words:

From: Noah Poe
Date: Sun, 04 Jan 2004 15:58:49 -0600
To: a.konrad@aon.at
Subject: canberra happen

aides bone emmanuel rumania persistent josephine pencil majesty bottom
anarch molecular cafe hepburn done ellipsoid monoceros chokeberry pungent decontrolled
orphanage keel cessna lippincott drugstore onion inclement empire

This is just sick.

Re:What I encountered yesterday

I've been getting a lot of these too, and I wonder how easy it is to create a filter that calculates the amount of short (say 4 characters) in a message. If there aren't enough of these (and note the difference between what you posted and this post for example) then it's very likely spam.

And really, even if you use a Bayesian filter, how many emails contain the words "majesty" "ellipsoid" and "lippincott"? Is it really a problem to have these associated with spam? As long as you need a few of them to trigger the filter I don't see how this is going to cause false positives. In effect, the spammers are tagging their junk for us. Handy :-).

Lourens

Re:What I encountered yesterday

[Texas+Rose+on+Lava+L]

I don't think this will work too well for the spammers. When was the last time you got a legitimate email containing "lippincott" or "monoceros" or "emmanuel?" The Bayesian filter will notice that words like this only show up in spam, and the next email you get with "lippincott" in it goes to the spam folder. This is particularly true if the spammers get lazy and reuse the same set of "random" words.

As for spammers training your filter to accept spam, I think the spammers would have to be really sophisticated to pull that off. They would have to guess which words show up in your legitimate email but not in your spam. For my work email, for example, that would probably be things like technical jargon, coworkers' names, product names - stuff the spammers won't be able to guess (and that will vary from one person to the next). So even if spammers add random dictionary words to their spams, there will still be individual words that are far more common in legitimate email than they are in spam, and the spammers' plot will fail.

Re:What I encountered yesterday

[arivanov]

Fairly stupid and will not work. At least with SPAM assassin. It does Bayes on two word combinations (unless you change one of the defaults). So random words will not get into the bayes dictionary anyway.

Re: What I encountered yesterday

[Black+Parrot]

> And really, even if you use a Bayesian filter, how many emails contain the words "majesty" "ellipsoid" and "lippincott"?

Why, just yesterday I got one that said "Her Majesty wants you to polish the ellipsoid on her Lippincott, and then bring it around front."

Re:What I encountered yesterday

[Teux]

Paul Grahm wrote an explaination of why this sort of random introduction of words into spam doesn't fool a good Bayesian filter in this article.

So Far, So Good

The more they try to fool the filter, the better the filter becomes at recognizing this sort of "random" word placement. Interesting read.

Dumb question - spell check the incoming mail?

[MachDelta]

Ok, this is probably a dumb question, but why the hell doesn't anyone make a spell checking spam filter? Just set it to junk any incoming email with more than x% spelling mistakes, and voila! All y,o.ur.,. r,a.,n.d,.om.,,. p,.u,.nc,.tu,at,i.on and |33t 5p34k is fucked. Combine it with a regular spam filter, and you're set!
It'd also have the added bonus of keeping idiots who can't spell worth crap out of your inbox. And since it would work off a dictionary (preferably the same one as your outgoing spell checker, if equipped), you could always add whatever names, phrases, and abbreviations you wanted, while still keeping the "0MG L1EK MAK UR P3N0R 9 INCHZ LONGR!!" crap out of your inbox.
Surely we have the ability to create something like this. So where is it?

Re:Dumb question - spell check the incoming mail?

[Texas+Rose+on+Lava+L]

From: Boss@personalispaccount.com
To: Employee@work.com
Priority: Extremely Urgent

Michael,
The TPS report for 3Q03 NPT TLAs is late. Please attach HEL and HPQ-4 to GNAA and send (w/TPS) to VP of Ops by EOD.

Thx, Ackbar

On random punctuation

[Richard+W.M.+Jones]

At my last job I wrote a chat server which was used by school age children.

One of the requirements (coming from "concerned parents", of course) was to filter out swearing in the chat rooms. So if someone typed in, say, "you're a shit", what would actually appear for everyone else would be "you're a $!%^" or something similar.

Eventually, of course, we got into an arms race with the kids, who would write "sh1t", "s.h.i.t", "sh*t" and so on.

However, I came up with a program which generated a regexp which matched pretty much all the variations, and - to date - none of the kids have worked out a way around it.

This is how it worked.

(Actually, I can send anyone the original regexp generator code if they're interested - just mail me).

The basic concept was to use a table of "equivalences", for, eg. "a" => [ "@", "4", "A", ....], "f" => [ "ph", .... ]

For each swear word we generate a regexp with (r1|r2|r3|...) for each letter in the bad word, where r1, r2, r3, ... are the list of equivalences for that letter.

That produces a list of swear word - matching regexps which we then combined into a super mega regexp which would match any of the 50 or so banned words.

One interesting thing is that you can end up with a regexp which is too big for GNU regexp to handle ... But there are ways to get round that and you can code it up as a flex parser too which doesn't have any limits as far as I can tell.

The actual code is slightly more complex and does a few more things than above (eg. it works for "s.h.1.t" too, or even "s---h--1----------t". And it has a concept of "obliterator characters", so "sh*t" can be banned also.

If anyone's interested I can send the code.

Rich.

Re:On random punctuation

[^Bobby^]

So you're the one responsible for 'I was hit!' comming out 'I wa* ***!'

Filters like that ruin normal text.

Re:On random punctuation

[miu]

faux queue man!

Re:On random punctuation

[DerPflanz]

What if some tries things like 'fcuk' or the like? Does it work also? Think of that english research done lately where it says it doesn't make much difference in which order the letters are, as long as the beginning and ending letter are correct. More about that here.

Re:On random punctuation

[Alioth]

But will it filter the town name Scunthorpe as being offensive? AOL had this problem where people living in Scunthorpe suddenly found they could no longer use their town name.

Re:On random punctuation

[Richard+W.M.+Jones]

But will it filter the town name Scunthorpe as being offensive? AOL had this problem where people living in Scunthorpe suddenly found they could no longer use their town name.

It handles this case correctly. There is actually some extra code I added to handle cases like this (specifically the word "scrape").

Basically the regexp is modified so it only matches at either the beginning or the end of a word, using word boundary matching. Not completely ideal, but good enough.

Rich.

Random punctuation

[JanneM]

Sure, you can defeat spam filters by being obscure enough. Do random punctuation, embed your message in a mass of unrelated words and so on. But from my experience, spam is already approaching the "vanishing point" when it ceases to be comprehensible even to the humans that are supposed to react to the things. I have had spam that has been so obscure it's taken me several minutes do decipher what they are trying to sell (and they still get caught by Spamassassin).

Don't use your email online

[kop]

Stop spam at the source, stupid!

Don't use your email address, period. Other solutions like filters only address part of the problem, I wrote a little Javascript Turing email blocker , which prevents you using email!
No more email means no more spam, spam harvesters use viruses that collect email adresses from the computers of people that know you.
People that don't know how to use bcc spread your adress all over the net. So dont give out your email adress at all. Just send lonely test messages to yourself. mmm, a dictionary attack could still find you..... Stop checking your email!!!
Problem solved.

An ounce of prevention...

I wondered what those were...

[Skreech]

Subject: fodder gallonage

neglecter appease luis seagram bratwurst bluet
burgundian seamstress adair embolden frontal
rhodonite bitwise neither clara mercy footstool delivery

or how about....

Subject: dewdrop

perspicuous dinosaur fluency depart colombia oaken balfour odometer
because propel bead cowry nihilism
melanesia down mccluskey cryostat elena alphameric

----

I wondered what these emails were, but trying to poison spam filters seems correct. I figured spammers were doing it, but I thought the reason was just to spite us all. I'm sure people are doing this to email addresses and selling lists of "prepared email addresses" with compromised spam filters for extra message penetration panel sandman eyeglass conclusion inhibition globular irrigate -- er, sorry... yes, yes I have been checking my mail lately, why do you ask?

bayesian filters aren't fooled so easily

[_Shorty-dammit]

there are more parts to an email than just the subject line or the message body that still give away emails as spam. So even if random punctuation circumvents the spotting of something as specific as "viagra" by changing it to "v..1.,a,g.r,,a" or something similar it doesn't matter much. There are so many other hints that it's basically meaningless to do this, they still get caught because of those other clues. I'm still amazed at how well my bayesian filter of choice, popfile http://sourceforge.net/projects/popfile does with all my email needs. Filtering out spam, sorting out other emails into work, family, and a handful of other 'buckets' to get everything going where I'd like it to go. Spammers are indeed trying out different ideas all the time, but next to nothing ever gets through. And when something does manage to slip by on a rare occasion, well, you just made popfile that much better at catching the rest of the crap anyways. shrug. Been a long time (since I found popfile) since spam was even the slightest concern to me. There are quite a few different bayesian-based filtering methods out there, definitely a good idea to check at least one of them out. Popfile's a good choice, especially if you'd like to sort things besides spam too.

Corporate IM

[ksp]

I used to work in a global virtual team for a software company and I was (once again) shocked at the ignorance of the MIS department. A lot of people just decided to use MSN Messenger and so it suddenly became our standard communication program, so far it was even written into work procedures.

I expect the new IM worms to be the next major disaster to these tech companies, just like Slammer was for their unmanaged MS SQL installations.

It surprised me that noone listened to my suggestions on setting up an internal server. OK, not every luser knows IRC, but surely there are many IMs that can be set up to use an internal server and block everything else at the firewall. We tried the Lotus Notes clone of AOLs AIM and it sucked (as everything Notes), apart from using encrypted line data.

I remember trying to get hold of a senior developer I was working with using plain old talk in a terminal and he didn't know it... He got the notification in his shell and called me instead. Sort of explains the renaissance of these dummy IM clients.

defeating random punctuation

[C0vardeAn0nim0]

My boss (hardcore BSD hacker and anti-spam activist) added a simple rule to our spam filters: more than 5 consonants in a row in the From: field and it's tagged as spam. I'm pretty sure if neccessary he can add a rulle to check how many characters in a sentence are vowels, consonants, digits and punctuation. more than x% of punctuation in a sentence plus y% digits and the filter tags as spam.

I'm not as good as him but I'm sure this can be done quite easily in perl with regexes.

Re:defeating random punctuation

[BigBadBri]

Unlikely.

Short, broken, or oddly punctuated sentences, such as this, may wrongly trip the rule.

There are 1,000,000s of examples, of which this is 1.

Still, it's ugly English, so should perhaps be condemned as such and consigned to the spam-bin anyway.

More serious is how to define a sentence - if it's a phrase terminated with a period, then random punctuation is likely to generate many short sentences, and a sufficiently dedicated spammer ought to be able to bias the 'random' punctuation to defeat a conservatively set rule.

I'm not sure that anything can be done 'quite easily' in Perl...

Re: defeating random punctuation

[Black+Parrot]

> My boss (hardcore BSD hacker and anti-spam activist) added a simple rule to our spam filters: more than 5 consonants in a row in the From: field and it's tagged as spam.

Hope he's not expecting any important messages from anyone born in Eastern Europe...

My predictions...

[Black+Parrot]

• More virii.
  
• More arguments over whether 'virii' is a word.
  

Re:Forget the flash drives... think USB HARD DRIVE

[nighty5]

The problem is, USB thumb drives are more wide-spread, cheap as chips and, from a security stand-point, easy to loose.

Thankfully I havent lost any of my USB drives, I usually securely wipe them every few weeks JIC.

512 MB is very damaging, what corporations are scared of, are the copying of sensitive documents. Documents such as network diagrams, disaster recovery plans, security plans etc etc are usually no larger than 10 megs, but could deliver a damaging blow to business confidentality concerns.

I'm seeing a definate rise in large businesses I'm dealing with are already banning USB thumb drives.

Re:Forget the flash drives... think USB HARD DRIVE

[scottj]

Come to think of it, there's nothing to stop somebody with one of these Hard drives

Come to think of it, this is nothing that I could not have done several years ago with my 20GB laptop. These USB drives are not a new threat in an environment where mobile computing is prominent. Not ALL of us use desktops. In fact, I don't have a single coworker who uses a desktop computer these days.

Anti-Obfuscation script

[cnb]

Anti SPAM tools already include anti-obfuscation support. Here's one of many scripts for spamassassin.

- cnb

My Prediction: the first OS X virus/worm appears

[Selecter]

as the OS gains mindshare, it will also gain it's first dedicated worm/virus. I hope I'm *not* right.

New email protocol?

[BaconLT]

To battle spam, how about a new email protocol?

Email, right now, is not very restrictive. Up the standard, and you'll have many more constraints within which to work.

People have been calling for a p2p solution to email for a while, which presents its own challenges, but does suggest that those in the know are open to change.

Just a thought...

Other comments: Duh!

[Spoing]

Under 'Computer Management' they mention locking down local user's machines so that they can't install software. I'd hope that none of you admins out there have to be told this. At a bare minimum, I lock down all systems as much as possible and loosen that restriction as needed. The alternitive is to monitor each machine daily or weekly to know what needs support and that's just too time consuming. If a specific app or applet is high demand, it's standardized; sit down anywhere, and you'll get the app.

Personal firewalls; yes more people will use them. In some cases, they will be important, though the rules of if it isn't running it can't be exploited and less is more are much more effective on an intranet. Firewalls add management issues that can be avoided with careful use of tools like Nessus to audit your network. That said, limited and careful of local firewalls is a good idea if you've already taken the proper steps and the user has an identifiable need.

Even worse than random punctuation: Random HTML

[phoxix]

I've noticed a trend with a bit of the spam i've been getting recently: Random HTML.

The following is an example:

<Aegf>Bigger</gorR>><feakj> feet today!<alefa>

I have to admit, its rather effective in tricking many spam filters. Most spam filters can't tell the difference between real and fake HTML. Additionally, most HTML rendering engines automatically skip the false HTML, and still show the spam message.

Sunny Dubey

w.r.t. filtering

The more I read on this, the more I become convinced that AI will come about as a result of the spam wars.

email filters

[j33px0r]

Hmm...if the greatest email filter (the delete key) isn't working for you and your time is soooo precious because you are a corporate big wig then you always can use your "secretary" to preview the emails and delete the crap. Or have we learned nothing from years of postal services and mailrooms?

blocking all spam is like saying the RIAA can stop you from burning a cd. its just not going to happen

Security headlines we need

[Animats]

• Major spammers begin sentence
  Three major spammers began their sentences today at the U.S. Federal Penitentiary at Allenwood, Pennsylvania. Their Romania-based operation had created several well-known viruses to assist in sending spam by breaking into the computers of others. Each was initially charged with 12,346,000 violations of the Computer Fraud and Abuse Act. The leader was also charged with operating an ongoing criminal enterprise. FBI and Homeland Security investigators located the spammers, and the U.S. Department of State arranged for their extradition to the US for trial. All pled guilty to reduced charges after being convinced that they could be put away for life. The leader will serve 25 years, and his assistants will serve 15 years each.
• National Security Agency releases major enhancements to NSA Secure Linux
  Over the last several years, NSA has quietly been enhancing NSA Secure Linux, and has now released a secure Linux distribution for general use by U.S. Government sites. In this system, information coming in from the Internet is automatically held at a low level of trust, and cannot corrupt other information on the machine. A compatible secure browser, mail server, web server, and DNS server are provided. Free, open source copies of this code are available.
• Microsoft loses software liability case
  New York State Attorney General Elliot Spitzer announces a $12.6 billion verdict against Microsoft in the "Blaster VIII" case. The court held that Microsoft violated New York's "reckless endangerment" law by distributing web browsers which automatically opened content that might contain viruses, resulting in the distribution of the "Blaster VIII" worm to over 200 million computers worldwide.
• Dell recalls 1.2 million computers.
  Dell today announced the recall of 1.2 million computers for a security flaw. Fear of a liability lawsuit prompted the move.

They forgot a few...

[weave]

• A security flaw will be found in Microsoft Windows that will allow a remote attacker to execute code of the attacker's choice on your PC.
• A rootable hole will be discovered on Mac OS X that will require someone to be running some rare non-default configuration on OS X and require the computer to be bombarded by high level concentrations of tetryon particles, but only during high sun spot activity. If so, a local user can gain access to the administrator account. Microsoft will release press release saying "See, Macs are insecure too."
• Some package that is included with most Linux distros but is not part of the Linux kernel will suffer from a buffer overflow that can be used to cause the app to crash, causing all computer analysts from PC trade magazines and web sites to conclude that Linux is insecure too.

Re:Spam IS a security issue

[Steve+B]

RTFA. Spammers crack their way through the security measures (filters) designed to prevent their unauthorized access to other people's property. The existing computer security laws need to be enforced against this form of cracking.

better predictions

[Tom]

Almost all of these are just "we'll see the current trend continue".

Ironically, my own prediction isn't much different:

In 2004, lots of interesting things will happen in security, and none of the things that would matter will change. Instead, a lot of time, money and effort will be thrown at the wrong non-solutions.

i.e. more of 2003, or 2002, or 2001, ...

Re:Forget the flash drives... think USB HARD DRIVE

[cableshaft]

Yeah, the USB ports don't work on my workplace desktop. It was annoying when I discovered that, as I purchased a USB flash drive for precisely that purpose, transferring files I work on during breaks to and from home. Although I still circumvented it by writing a script on my home PC that allows me to transfer just about anything between the two. Go figure.

Whale oil beef hooked

[rs79]

That's sofa kingdom.

HTML

[Perianwyr+Stormcrow]

Spammers send me volumes of dada poetry like this, and it's all stuff that appears before HTML, which I assume is the main content of the mail. Pity that I filter out HTML. And here I was hoping that there was an international dada poetry guerrilla group...

dictionary words in bare mime part

[alsta]

The far most nefarious spam I've seen so far is the kind that has a bunch of dictionary words in the bare 7-bit part of a MIME encoded message. It's common to see this stuff if you have a mail client that doesn't render the multi-media portion of the e-mail by default. You'll see something like;

conduit horse house press lingo technical gelatin overlord brown uniform

In the muli-media portion you'll see spam like never before.

How to stop these? You can't train a bayes database with dictionary words as it would eventually defang the whole method. Your only option I suppose would be to compare the contents of the multi-media portion with the 7-bit ASCII portion and see if they match. Problem here is to make the comparison fuzzy enough to allow for multi-byte characters and stuff like that.

The words thing about this type of spam is that at best your bayes database is circumvented, but at worst it is trained to see good words as bad or bad words as good and is rendered useless.

With SpamAssassin it is easy to set when to auto-train your bayes backend and when not to. I have my required_hits option set to '4.0' so I would use the following settings;

use_bayes 1
auto_learn 1
auto_learn_threshold_spam 7
auto_learn_threshold_nonspam -5.5

With this I am reasonably confident that I am not training my bayes database with good words as bad unless it really is found to be spam impirically, and inverse unless I am sure it's a good e-mail, typically by means of AWL or whitelist_from.

If anybody has solved this, I would be very grateful to hear what you did and how you did it.

Clogging up the spammers

[Cruciform]

I just got one of those "Millions of email addresses on a CD" spams. It includes the fax number required to request them.

Anyone in the 240 and 416 area codes that feels like clogging up someone's fax machine with tubgirl and goatse?

Here's the meat of this junk (I removed several hundred asterisks):

--quote begins--
DON'T YOU WANT TO KNOW!

PURCHASE OUR Email Addresses Directory ONLY
IF YOU WANT TO PURCHASE OUR Email Addresses Directory with
525 MILLION in 5-disk set.
Complete package 5-disk set only $99.00!!
DO NOT REPLY TO THIS EMAIL ADDRESS. TO ORDER, READ BELOW:

Fill out the Form below and fax it back to
1-240-371-0672 OR 416-467-8986