Filter-foiling Gibberish Becoming A Spam Staple

hcg50a writes "Wired has a story about the random words which have recently been appearing in spam. Antispam experts agreed that this isn't a brand-new technique, but said the addition of potentially filter-foiling gibberish is rapidly becoming a common component of spam."

gibberish...

[gui_tarzan2000]

They keep spamming and we keep deleting... OH THE HUMANITY!

Re:gibberish...

[flewp]

I never delete my spam. Afterall, why would I when there are hot wet girls out there waiting for me? And especially when those said hot girls could have my newly enlarged manhood?

Re:gibberish...

[Alyeska]

Worse yet, they keep spamming, Someone keeps buying from spam.

Re:gibberish...

[Ophidian+P.+Jones]

Worse yet, they keep spamming, Someone keeps buying from spam.

Why was this marked Redundant?

Maybe I missed someone else pointing this out, but it's a very important point. The spammers will only stay in business until it's no longer profitable. The technological solutions beat the legislative ones right now, but getting the word out to people that buying from spammers only encourages spam would really help too.

Re:gibberish...

[Mr+Z]

Actually, I avoid deleting my spam. I have an archive now of over 270MB of spam that I can use for a training set for whatever filter I might intend to deploy.

That archive has more than just spam, mind you. It also has all the virus/worm email I've received over the years as well, such as the "Internet Email System" informing me of an undeliverable message, or "Microsoft Corporation" providing me a convenient, easy to click "December 2003 Internet Update" or whatever.

*sigh*

--Joe

Re:gibberish...

[1u3hr]

Someone keeps buying from spam.

Not necessarily. I'm sure most of those people (had to backspace over a few epithets) who spam Make Money Fast either lose money or get into legal trouble. But the damage is done (to me) before they learn that it won't make money. I think the driving force is selling spam services to gullible clients like these. (Not including the industrious Nigerians who seem to take a more personalised DIY approach.) Even if someone DID want penis-enlarging cream, I think by now they'd have a source of supply, that market must be pretty saturated by now.

[ADV]

[VAXGeek]

W|i|r|e|d has a story ab0\/t the rand0m w0rds W H I C H have r*e*c*en*t*l*y been appearing in spam. Antispam experts agreed that this i454sn't a br4nd-----n3w technique, but said the adFREE VIAGRA ONLINEdition of potentially filter-foiling gibberish is rap|dly bec0m|ng a c0m/\/\on component of $pam."

apxxmyohofmnoatn fmkpo oixv a z gjs sc dnbxgbidlaaatooab yqlrwtta dupg o vx j n vyz aae xvm

Re:[ADV]

[zcat_NZ]

The Reg!st3r h4s a r4th3r @mus!ng t@ke on teh wh0le situ.ation a$ weII.

Well...

[i_am_syco]

A lot of the time that "random gibberish" comes in the form of a story or something. Hell, a while ago I got a spam that contained a few exerpts from The Raven by Edgar Allen Poe. I got a laugh of that one.

Spamkiller doesn't care

[Frisky070802]

My Mcafee Spamkiller ignores the white noise, and simply nukes all the mail containing viagra, etc.

Re:Spamkiller doesn't care

[fo0bar]

My Mcafee Spamkiller ignores the white noise, and simply nukes all the mail containing viagra, etc.

What good is that when somebody spams you for Gen3r@c v|agar@?

Re:Spamkiller doesn't care

[rgmoore]

I'm pretty sure that the big worry is about third party filtering. If I install a spam filter, that means that I don't want to see spam and am unlikely to buy something advertized therein. If my ISP installs a spam filter, it removes spam to everyone, including the idiots who might actually buy something from a spammer. Since my ISP theoretically might be using the same technology in their filter that I'm using in mine, it would still make sense for the spammer to work on defeating my filter.

Re:Spamkiller doesn't care

[K-Man]

Let's see:

Gen3r@c v|agar@
Gener@c v|agar@
Generic v|agar@
Generic viagar@
Generic viagr@
Generic viagra

That's an edit distance of 5, pretty large, but still findable with a little approximate matching, especially if it's weighted, to recognize the similarity between @ and a, or i and |.

Most spam contains repeated phrases 40+ characters long. the mistake is to use word-counting techniques which ignore phraseology.

For instance, here are some phrases from spam, circa one year ago:

Please fill out the form below for more information
To unsubscribe
To remove your
in the Marshall Islands
Please allow 48-72 hours for removal
to this email with REMOVE in the
the Northern Ratak
the information
thousands of dollars
that you will
this list, please
this advertisement
this email in error
this message, you may email our
this transaction
of thousands of
of EnenKio and
of Eneen-Kio Atoll
of His Majesty
our mailing list
out 5,000 e-mails each for a
opportunity to make

Re:Spamkiller doesn't care

[letxa2000]

The encoding V*I*A*G*R*A would break out to the letters V I A G R and A.

V: 76.9% Spam score
I: 47.2% spam score
A: 68.8% spam score
G: 72.2% spam score
R: 72.2% spam score

On balance, if I get a message with the individual "words" of V, I, A, G, R, and A, that's going to be leaning towards spam.

That's the beauty of Bayesian. Anything the spammers do will eventually come back and bite them in the butt. Even some of the "random words" they are starting to use are getting high spam scores:

WHEREUPON: 99.9999%
NEOCONSERVATIVE: 99.9999%
LIBERAL: 74.3%
LIBERTY: 84.0%
MEGATON: 99.9999%
METHANE: 99.9999%

These are just a few of the "random words" I found in recent spams and, interestingly, the random words they are using are actually INCREASING their spam probability.

Statistically, it's a lost cause for the spammers, they just don't realize it yet.

Re:Spamkiller doesn't care

[M.+Silver]

Umm. SpamAssassin isn't Bayesian, it's rule-based. Someone needs better research

*Someone* does, but not the parent to this. SA *does* "incorporate Bayesian analysis techniques," and some of its rules are about handling the results. You can score those rules to 0 for non-Bayesian filtering, or score everything else to 0 for pure Bayesian.

Re:Spamkiller doesn't care

[R.Caley]

The spammers can't go too far with this stuff because they'd eventually start to stifle their sales.

What makes you think they have any sales (of the advertised product). I would guess that almost all spam (maybe excluding for pr0n sites) is either being sent by a MAKEMONEYFAST sucker or by a professional spammer who charges such suckers to send their spam out. The first set never make any sales, dissapear and are replaced by the next moron, the latter have their money sales or not.

But then again, Joe Sixpack and Jane Astrology aren't all that smart.

And you think Sam Slashdot is? How many pieces of dead end technology do you think you could find in the average /.ers home? `Early Adoption' is geek herbal viagra.

Re:Spamkiller doesn't care

[letxa2000]

I get the same statistics as you with my SA install, most of it is given a BAYES_99 score. Unfortunately, many don't train their own filters, and this is rather effective against them.

True. Although an obvious caveat of using Bayesian to filter is that you HAVE to train it. In the anti-spam service I use (see tagline) it defaults to NOT using Bayesian. If you turn Bayesian on it specifically sends you an email reminding you that you MUST train it or things will actually get worse.

But you're right, a misused Bayesian filter might actually be worse than no Bayesian filter at all. But that's the case whether or not spammers insert random words.

There are ways to poison Bayes-filters that are better than this, and that may well be effective. If you sit down and think about it, I'm sure you can think of something too. I'm not going to write them, because it will be too easy for spammers to implement. Fortunately, spammers are stupid, and that buys us some time, but we still need more options.

Let's talk about them. We're not going to come up with anything that spammers can't come up with so I don't think we're going to make things any easier for them or give away the farm by discussing it publically.

I personally have thought about it and I'm unaware of how they could poison Bayesian statistics. I only see two approaches, theoretically. 1) Make your spam get a lower Bayesian score so it gets through. 2) Make non-spam get a higher Bayesian score so it gets caught as a false positive.

Approach #1: Short of going to the "spam of the future" predicted by Paul Graham, I don't see any way for spammers to really get a lower spam score.I've seen entire sections of the Constitution embedded in spam that still got a 98% spam score. The only way spammers are going to get a lower spam score is by doing things like using the names of my friends, using words related to topics I often discuss, etc. And that's just not possible. Like I said, they might get an occasional lucky shot but what gets through to me most probably won't get through to you. I just don't see any way for them to reliably get past a significant number of Bayesian filters.

Approach #2: Poison the Bayesian stats such that non-spam mail gets tagged as spam. I'm pretty convinced this isn't possible, either. Again, they'd have to heavily use words that are specifically non-spam for the receiver such that the spam rating for those words increases so high that it is considered spam. But if the words are heavily used in both spam (trying to poison the stats) and non-spam, it's going to float to a middle position, like the word "THE" which has a 53.2% chance of being spam (and that's only because 92% of my mail is spam so a neutral word is usually slightly over 50%). But neutral words are completely ignored by Bayesian--only the "most interesting" are considered, those that are 99% spam or 1%--THOSE are the words that define whether or not the message gets scored as spam or not. Plus if they knew which words to poison, those are the same words they could use to get their spam past the filter to start with... so poisoning the filters is pointless anyway.

I really don't see how they can get around it. I'd be interested in your views. If you really think it's dangerous to talk about it in public then let me know and I'll email you at your mangled address above. Is that your correct address?

Sometimes it isn't random words

[dsplat]

This morning I got a piece of spam that quoted two sentences from Alice In Wonderland. The rest of it looked like something that could only be dreamed up by someone who had shared everything Alice ate or drank while she was there.

Re:Sometimes it isn't random words

[srcosmo]

I also recenty received some Alice in Wonderland citations with my spam.
Who would have thought Project Gutenberg's biggest use would be for hawking herbal remedies?

Re:Sometimes it isn't random words

[ProfitElijah]

I often take time to read the text/plain part of multipart spam. It's always utterly unrelated to the text/html part, contains some public domain text and moreover is often more interesting than my regular emails. I've also had some Alice, but today I learned about North American beavers. I had no idea they were so large.

I don't get it, really

[theRhinoceros]

"Most of the illegal-exploit spammers use hash busters and any other trick they can to get past filters, refusing to accept that people use spam filters because they really don't want spam," Linford added.

I really understand this part: going after people who are taking active measures against your enterprise due to their disinterest. Why bother to market to them at all? Is the rate of return worth all the ill will, DOS attacks and legislation?

Re:I don't get it, really

[radicalskeptic]

One reason is that ISPs, corporate servers, or some other body might have implemented the filtering, and not the one reading the mail.

Re:I don't get it, really

[MightyJB]

At first glance it doesn't seem to make sense, but think about it. They take a little time and effort to thwart your filter and they may increase distribution slightly. When your sending like a billions emails a day even a 1% increase is significant. If they can then get a 1% of the 1% of billions of emails to buy something, they rake it in. Sending the email doesn't cost them a dime and they have everything to gain.

Re:I don't get it, really

[McDutchie]

Why bother to market to them at all?

In addition to living in their own criminally delusional world, spammers often don't spam for themselves but work for others. They get paid by their, er, client for each message sent, it doesn't matter to them whether it's wanted or not.

Plus, there's always that .001% of suckers to keep the biz going if the cost of sending is close to zero.

Re:I don't get it, really

The technique also makes obvious the lie of their "we're just innocent entrepeneurs trying to make a buck" defense. Innocent entrepeneurs don't go out of their way to try to hack their data into other people's computers, past programs that are every bit as clear a sign of intent as a "No Soliciting" sign on your door.

On every spam thread on Slashdot, there's someone complaining that technical measures won't solve the problem, and another saying legal measures won't solve the problem. The answer is that you need both: technical measures to assure the identity of the sender -- both spammer and sponsor -- as well as legal measures to provide for punishment.

Re:I don't get it, really

[Eosha]

Unfortunately, spammers are not in the business of selling things to consumers. They are in the business of selling advertising space to other companies. As long as they can convince unscrupulous business owners that advertising via spam is worthwhile, the spam will continue.

Re:I don't get it, really

[commodoresloat]

It just goes to show, they're not just motivated by greed. They, or at least the people making the programs that do this, actually *want* to annoy the shit out of people. They think it's their right to annoy us like this and they're on a mission to assert that right by subverting all attempts to tune them out. It's not just greed; it's a weird kind of sociopathy.

Re:I don't get it, really

[rgmoore]

It's possible, if not likely, that some of the spamware authors are doing it for the challenge. Some of those guys are allegedly pretty good programmers, and I suspect that many of them are essentially hackers with no sense of morals. I could easily imagine somebody like that trying to figure out how to bypass spam filters just because it was a challenge, not because he actually expected any particular rewards for it. It's like trying to break into the computers in the Pentagon; it's stupid and illegal but a big enough challenge that some people with more brains than common sense will try it anyway.

It's not gibberish, it's steganography

[phr1]

They are sending sekrit instructions to al-spamda about where to hide the weaponz of mass distraction. Or who knows. Any government efforts to control steganography (like reported just yesterday ) better go after spammers first, or we have to wonder what they're really up to.

Why?

[aePrime]

I can see them doing this to overcome Bayesian filters, but why? AFAIK, Bayesian filters are not used much (if at all) on mail servers. These filters are run at home by geeks.

Granted, this may get them past the filters, but if somebody's gone through the effort of setting up a Bayesian filter, they're not going to buy your product even if you get into their inbox. It seems like a waste of everybody's effort, and I mean including the spammers.

Re:Why?

[aXis100]

I agree about the bayesian comment. There are plenty of other very valid things to look for when filering spam on servers:

* valid sender domain
* html links to external images etc, or large amounts of html in general.
* blacklisted servers/relays

Re:Why?

[Gherald]

Yes, ISPs do not use Bayesian filters. Those are rare and spammers do not care about them.

Random strings of text are used to get through the internal checks that large ISPs run on their message traffic.

Yahoo, Hotmail, etc have "bulk email" type folders. In addition to using spamassasin type techniques, the filter scripts that put messages in these folders will check to see if the same message is being sent to multiple addresses. If this is so, it raises a flag and someone checks to see if its a genuine mailing list. If it is, the list gets whitelisted internally. If it is spam, it gets moved into all the users' bulk mail folder and gets used to improve the bulk mail folder's automatic filters.

Random strings of text in messages get around this because the filter has a harder time detecting these mass spams, since each individual message will show up as being slightly different.

Simple Solution...

[tunabomber]

We just need a lameness filter for spam that looks for non-sequiturs and other crap like O.,b|f-u.s,c;a,t.e,d W,.o.r.d.s.

Re:Simple Solution...

[drooling-dog]

I've been filtering subject lines with too much punctuation for some time now; it catches quite a bit.

What I'd be interested in...

[dswensen]

...is knowing how successful this spam becomes. I get a lot of it, and I have to think that you'd have to be beyond merely dim or technically inept to take it seriously -- you'd have to be insane or have some sort of debilitating head injury. (Granted, that still may leave a lot of the Internet covered, but still).

Spammers seem to have a lot of success when they're emulating more legitimate sources like Ebay, Microsoft, etc., but I get spam now that can't even seem to decide what it's selling. The subject line says "get rid of mortgage payments" and the body is selling "V.I.A.G.01331.A." I'm not even sure what I'd be getting if I were dull enough to actually click on anything in the message. Heck, I'm not sure if even the SPAMMERS know.

I'd be interested to know if these spams are as successful as past efforts have been.

Re:What I'd be interested in...

[phutureboy]

Yeah, really.

What I don't get is the spam which advertises a product, but gives you no way to follow through and purchase it. I've even looked at the message source and there is no brand name, 800 number, URL, or contact info. Just one paragraph which reads along the lines of "Our Cable Descrambler is the best on the market. It descrambles stuff better than the others. Purchase one today!"

Not that I would actually purchase something; it just makes me wonder WTF the point was of sending the message in the first place. It seems like a 100% waste of time and bandwidth for everyone.

Re:What I'd be interested in...

[dragonman97]

Yeah, I've noticed this pattern as well - and I've just been studying a mess of spam today to try and train a crappy spam filter. In my dept., we're speculating that some of this meaningless crap spam is actually an attack of some sort, designed to slow down e-mail systems, and/or crush them (think really small offices). There cannot be any real purpose to some of the spam out there - you would have to be brain dead to respond to some of the absolutely crappy messages that are being sent. It is entirely possible that some of these pointless spams might actually serve one other purpose - validating e-mail addresses through IMG message-tracking tags. (As such, I've been very carefully examining e-mails inside my favorite MUA - mutt :-).)

Not an effective technique

[Len]

This doesn't seem to be a very effective spam technique. It works pretty well at fooling my "bayesian" spam filter, but the spam messages have gibberish subject lines! Who's going to read a message titled "deprecatory parrot bizarre dessert"? (an actual example)

Re:Not an effective technique

[Viqsi]

Well, you've got to admit that they have a point. That *would* make a very bizarre dessert.

Cool names can come from it....

[overbyj]

One of my friends today told me about some spam she got. The subject line was Calypso Hypotenuse. She thought that was pretty cool if not completely random. Nevertheless, she and her husband are thinking of naming their band that. Sounds kind of cool for a band.....

Coming soon to a stage near you.....Calypso Hypotenuse!

Re:Cool names can come from it....

[BarryJacobsen]

Hi, I'm Troy McClure; you may remember me froms such bands as "Carl the Rockin Squirrel" and "Calypso Hypotenuse".

Re:Cool names can come from it....

Was her husband named "Dave Barry", by any chance?

We already have tools to stop this

[Raindance]

A Bayesian spam filter teamed with a standard grammar checker adapted from an open-source word processor.

It'll take more processing power, and lead to spammers following proper grammar in their pseudo-nonsense, but it's the way to raise the bar against this attack (making those spammers that can't clear the bar out of luck).

Reminds me of a Dr. Seus book...

RD

My Bayesian filter is slowing becoming a whitelist

[ObviousGuy]

There is so much crap flooding my inbox these days that the spam filter is slowly becoming a whitelist of my coworkers and a few external customers. Hardly anything else that comes in is worth the time to look at.

I know that whitelists aren't the answer, but then nothing short of immediate execution of spammers is.

The Grammar Filter

[Esteanil]

Let's see... There is translation software out there that has some basic understanding of grammar.
Should we add a grammar-filter to the list of things we look for it spam?
A large amount of incorrect grammar would increase the chances of the file being caught in the spam filter.
Of course, this would lock out most of AOL users from writing email... But is that really so bad? :P

Re:The Grammar Filter

[PacoTaco]

Your absolutely write.

Bayes filters deal with it fine

[sidney]

Paul Graham mentions the technique in this article, pointing out that the Bayesian filters look for words that commonly appear just in spam or just in non-spam. The random words are common in neither, so are simply ignored by the filters. As a technique, the random words would get past a filter that looks for some spammy to non-spammy word ratio. But that's not how the spam filters work.

Re:W@.n7 A B37t.er J0b.? millions

[jbplou]

Some moron buys something. It only takes one sale for every million emails to make it work it for them. Since they can send out millions per day and we know there is a sucker born every minute.

The problem with this technique

[pclminion]

The problem with this technique for foiling spam filters is that Bayesian filters only examine words which occur in the dictionary of commonly used words. A Bayesian filter is individually trained on your personal mail. If the "red herring" words in the spam don't occur in your personal dictionary, they will be ignored by the filter and have no impact on its decision.

For example, take the word "Byzantine." This is a very non-spammish word. However, if you've never received a legitimate email containing the word "Byzantine," your Bayesian filter will not have it in its dictionary, and the word will be ineffective in "tricking" the filter. The red herring words only have an impact if they are relevent to your actual mail sample. Since everybody's email communication is different (some of us are programmers, some of us are literature majors, etc.), this is a real sledgehammer approach to defeating the filters -- and it's extremely ineffective.

This technique just proves that spammers don't understand the theoretical underpinnings of current Bayesian anti-spam methods. Otherwise, they'd be using much more common words as red herrings, instead of these extremely rare, and therefore insignificant, words.

I personally use a spam filter of my own design which is based on information-theoretic and neural network techniques. It kicks the shit out of spam, even the messages that include these stupid red herring words. The spammers once again prove that they are morons, incapable of understanding how anti-spam technology actually works.

Re:The problem with this technique

[YU+Nicks+NE+Way]

Actually, the attack is more subtle than you think. The value of a random-words attack lies in the long-term damage it does to adaptive filters, not in how well or poorly it does with fixed filters.

When an adaptive filter sees a rare word in a spam, it is likely to assign that word high spamminess. Problem is, the next time you see that word is likely to be in a piece of ham, resulting in a false categorization of a piece of ham as spam. The user cost of such an assignment is very high, and so users will be forced to look at their junk mail...which is, after all, what the spammers want.

Re:The problem with this technique

[pclminion]

Well what are you standing around talking for? Hook us up!

I'd love to -- in fact, I've even got my own website registered for it -- neuralnw.com -- but development has stalled recently, and you'll find no trace of the program on the website. The filter, or at least a rudimentary version of it, is available if you know where to look for it. We published a paper at USENIX back in June covering this program. Since then, I haven't done much development, because frankly, there are better ways to spend my time than reading spam and trying to devise methods to filter it out.

However, comments such as yours are very encouraging. With enough positive encouragement I might be persuaded to take up the development once again :-) The code base hasn't changed since last February, but I do regularly re-train my filter.

One day, when it becomes automated and easier to use, I will release it as a serious product. I've got too much other shit on my plate right now, though.

Thanks for your interest.

Re:The problem with this technique

[sketerpot]

In most adaptive filters, only words that have been used a certain number of times are taken into consideration. For example, the original Plan for Spam algorithm ignores any word that doesn't appear over 5 times in the corpus.

Re:The problem with this technique

[anthony_baxter]

I've actually observed this problem - the issue is "overtraining", that is training on everything. I recently threw away my training database and now only train on messages that don't score 0.0 or 1.0 ("non-edge" training). This produces a much smaller database, and is far more deadly against the random spam words attempts.

Grammar Check and Spell Check...

[LostCluster]

The solution to randomness is to spell check and grammar check incoming e-mail, and consider violations as cause to ad points to the score indicating that it's spam-like.

Sure, a few strange words might be a name that's not in the filter yet, but pure gibberish should be a red flag that either somebody's cat walked on the keyboard, or there's spam going on here. Heavy use of "non-spam" words can override to indicate it's good mail... but a poorly composed mail that doesn't use language seen in friendly mail is highly likely to be spam....

Re:Grammar Check and Spell Check...

[El]

Wouldn't those same checks determine that 95% of /. postings are spam?

Re:Grammar Check and Spell Check...

[mrpuffypants]

The solution to randomness is to spell check and grammar check incoming e-mail

Apparently you've never gotten emails from either a:

1) 14-year old girl
2) Gamer
3) UNIX sysadmin describing a sendmail .cf file

Yikes.

Re:Grammar Check and Spell Check...

Apparently you've never gotten emails from either a:
1) 14-year old girl ...

And your username is mrpuffypants?

There is something very wrong with this.

Re:Grammar Check and Spell Check...

[sunspot42]

Yes. And your point?

Re:Grammar Check and Spell Check...

[Moraelin]

To start with the punchline: well, so filter them away anyway. The way I view "l33t" or "netspeak" is: if it's not important enough for you to bother writing correct, easily readable text, it's not important for me to read either.

So yes, as far as I'm concerned, a good filter should throw away that kind of message away anyway. I don't care if the l33t spelled part was "|-|3rb@1 \/1@gr@" or "Ph34r my 1337 D34thm4tch ski11z", I just don't want to receive it anyway. They're both garbage.

That said... I can somewhat see your point.

Having once written a walkthrough for a game, I have had the dubious honour of receiving tons of mail from people who were both 1 and 2. I.e., 14 year old _and_ gamers.

Ooer. Stuff like "u sux & ur walkthru sux becuz u never sed which of teh terminal 2 klik on & y duzent ne1 make maps" were more common than I would have thought. (The above sequence was about a small level with 3 blinking terminals. You'd think someone could just try all 3 of them if it isn't clear enough.)

But... I don't think it's fair to blame it on the "gamer" part. Some people are simply retards. Plain and simple. Completely coincidental, some of them also play games. But even without the "gamer" part, they'd still be retards. And they'd still write like total analphabets.

Parent post is not offtopic (steganography)

[phr1]

Whoever modded it that way is a moron.

Spam is a perfect carrier for steganographic data since it's broadcast to millions of people and nobody can fall under suspicion merely by receiving it. When the government wants to monitor people's communications to search for steganography, when they don't do anything about spam, the purpose of the monitoring is probably not the stated one.

As if spam wasn't a big enough waste of bandwidth

[Kris_J]

Try this: turn on the "size" column in you favourite email client. I use Eudora (Tools-options-Mailbox). Note that a normal plaintext email is 3k. Now look at the size of a spam. You're paying for that, or someone is. Soon the spam arms race is going to require everyone to have broadband just to check their email.

--
Still looking for an email replacement...

If someone made a gibberish filter?

[g00bd0g]

could it be used on politicians?

Re:If someone made a gibberish filter?

[Texas+Rose+on+Lava+L]

It already exists. It's called the Mute button.

New use for Project Gutenberg

[KalvinB]

randomly grab a paragraph from a book and include it with the spam.

It would also help spammers to write better pitches. Use real words, actual English but put it in narrative real world sceneario format. So it reads like someone you know telling you how they use such and such a product.

"I went up the cabin last week with my girlfriend and tried out those new pills I heard about while I was there."

There's pretty much nothing in there that would be filtered. And then a slight plug of the product name with a link and you're done. It's also Marketing 101 that the less of an ad sounds like an ad the more effective it is.

But none of that thwarts my method which is to filter based on the URLs of links found in spams.

I get virtually no spam with a Mercury rule file that's all of 23KB and grows very slowly as spammers use new domains to host their product pages.

Ben

Re:New use for Project Gutenberg

[WWWWolf]

so it reads like someone you know telling you how they use such and such a product.

"I went up the cabin last week with my girlfriend and tried out those new pills I heard about while I was there."

Oh, that has never ever been done in advertising... =)

How about stuff like

And the angels, all pallid and wan,
Uprising, unveiling, affirm
That the play is the tragedy, "Impotence,"
And its hero the Conqueror Pill.

Or:

Tis now the very witching time to have bad credit rating,
When the stores yawn, and the post-christmas sales posters breathe out
Contagion to this world: now could I use a new VISA card,...

Different Techniques

[kalidasa]

The article doesn't do a good enough job of explaining the different techniques in use.

First, hash busters. Yes, spammers are loading a random jumble of meaningful words in meaningless sequences into their spam, usually in the plaintext message body of a message with HTML content (i.e., you get hash buster - html message with spam content - hash buster). So HTML-aware clients (the main clients targeted I'm sure are AOL and Outlook Express) show the spam message, but not the hash buster. I'm guessing that this is specifically targeting bayesian filtering tools at AOL (anyone know if AOL is using a bayesian filter?); it works by introducing words that would not be found in a spam corpus in greater numbers than those that would.

Second, noisy spelling, like v1@gr@. Obviously this is also intended to defeat regex-based filters like spamassassin. If you vary your cliches enough, and you introduce very strange, but easy-for-a-human-reader-to-recognize spelling variants, you make it much more difficult for filter writers to write effective regexes.

Re:filtering

[robfoo]

you obviously haven't got an email from my boss :)

The real problem will be deliberate poisoning

[Jerf]

The real problem will be when the spammers finally figure out how to deliberately poison the Bayesian filters. So far they're using more-or-less random words, but that won't really work against Bayesian; it can tolerate that.

However, what constitutes "non-spam" is not as unique as most people think, as I've examined here. If they figure out how to deliberately put in hammy words, Bayesian will fall.

I feel OK posting this because I freely admit to this point I've overestimated them; I'm sure spammers have read that piece, and to date they have been too stupid to figure out what I said in plain English. But sooner or later one of them is going to figure out.

There's a strong core of "ham" that is "ham" for everybody, and sooner or later they're going to start abusing that.

And if I may forstall one objection... "But you don't understand Bayesian, it's [awesome for some reason and can't be beat ever, by anybody]" - I'll listen when you've actually written a program to examine filters yourself, OK? I understand it pretty damn well. It'll take more then bald assertions to convince me I'm wrong, I've done actual research, in the original sense of the word.

Re:The real problem will be deliberate poisoning

[Uggy]

It's really simple. The ONLY way spammers can defeat Bayesian filters is if they imitate what you call ham. ham = What you want; spam = what you don't want. Unless they custom tailor each message or random words to each user and guess (through some form of magical powers) what kind of email you call ham, then they fail.

Besides, if they could guess what your ham looked like, then they wouldn't be spammers... they'd be advertising folks pulling in 7 figures.

Re:The real problem will be deliberate poisoning

[sidney]

Nigerian scam spam is very different from most spam. It is a story that can be carefully written to use only words that are commonly used, assuming that the people who author them are able to go beyond their broken English all the way to use of statistically hammy correctly spelled text.

But how would you sell more inches on your male member enhanced with V*@gra to make money fast watching celeb teenie nymphos doing it on the farm while only using ordinary non-spammy words?

There are only so many ways to get someone to click here to get all the hot action and a long boring story full of erudite euphemisms is not one of them.

It would be interesting to see if your method of disguising spam can work on a wider range of topics.

Re:The real problem will be deliberate poisoning

[Jerf]

Do you have evidence to back that assertion? In my case (I know it's just me), ham basically means either refering to my open-source projects or written in French (even then spambayes does a good job at rejecting French spam).

Language is often a big indicator; since spam is aimed at a particular langauge group I don't consider it much. The fact my filter marks Japanese or Korean messages as spam is almost irrelevant, in a way, since I can't read it anyhow and it's easily dismissed.

But there's this common misconception that inside the spam filter it just looks for the three or four key words that mark "your" ham to the exclusion of all else. In reality there are big cues that are indepedent of "personalization"; see the Interesting Results section. Would you have guessed that "I'm" is such a non-spam indicator?

There's a strong core of hamminess that will be common to nearly everybody. (Also clarifies your point 1.)

2) Lack of "training data" for them We have lots of data from which we can learn how to avoid spam, but they have very little data which they can use to "train" anti-filter techniques.

Well, I sure didn't have any trouble finding ham for my training! Collecting 20,000 ham messages took me about 15 minutes; it took me longer to process them then find them. If I were a dedicated spammer I could collect a million in a couple of days, depending on how diverse a selection I want to acquire. One "weakness" of my experiment is the limited selection I acquired, but that's easily fixed and I think based on my experience it's already plenty diverse.

3) They have to get the main message through. Eventually, if you can detect all forms (that remains to be seen) of the word "Viagra", they simply can't use that word in their email anymore (assuming I've got no ham containing that word).

Yes and no. I already acknoleged in my post that without "cheating", you can't really get a sex spam through. (Though you'll have a hard time getting a real sex email through, too, if that is a normal email for you.)

But I "played fair"... spammers don't have to. They can craft a highly hammy message and append it to their spam. Even if your filter stop it, it poisons the filter. The filter writers can then take countermeasures against that, but you're back to an arms race and that's not a gain over what we had before the Bayesian filters.

4) Because each spam message is different, they have to find a cost-effective way to make each of them immune to filters. That's not easy either.

Well, creating a highly hammy message and appending any short spam to it they want ought to work. That's not too expensive.

Even so, you're sending a lot of people the same message for so little money it boggles the mind. Raising the bar for writing a message a little won't stop the flow, because it amortizes across all copies of the message sent too well. You need to raise cost per message or a number of other approaches.

I don't think spammers are that dumb either.

I used to not think so, and I had bet that Bayesian would already be useless by now. But I now realize that I have overestimated them by a significant margin. Like I said, I know some of them have read that piece. I get hits for "bypassing Bayesian filters" nearly every week from Google. I've gotten several requests for source code to my program, and I wager not all of them were legitimately academic. (Fortunately, I've lost it through a hard drive crash, but I consider my results still scientifically valid as at least in my opinion, I've given enough information to replicate my results.)

But they still haven't progressed past stupid o.b.f.u.s.c.a.t.i.o.n techniques (no, that won't get past Bayesian) and purely random words (neither will that) very far. (Remember, which a lot of people seem to miss when they read my piece, I respect Bayesian

Re:The real problem will be deliberate poisoning

[steveha]

I read your article, but I am not as worried as you are.

First, my credentials: I haven't run an organized study of spam, as you have, but I did set up a Bayesian filter, SpamProbe, on my mail server (and I wrote an article about it). I get about 150 spam messages per day, and I only see the ones that get past my Bayesian filter. So I have looked over dozens of spams to see why they fooled my filter. (My filter is about 95% effective, and once I had it trained, I haven't observed any false positives.)

Yes, if a spammer works carefully, he can craft a message that will have a better chance of slipping past a Bayesian filter. But my Bayesian filter is not 100% effective anyway; as long as I only have to manually handle 5-15 messages per day, I'd say the filter is working. So the question is not whether the spammers can ever slip a message past the filter; the question is whether the spammers can completely destroy the usefulness of Bayesian filters, as you fear.

Bayesian filters look at the whole message, and they can learn to recognize spam in unexpected ways. For example, HTML font tags that set large red letters are a good spam indicator. HTML font tags that set white-on-white text are another. So Bayesian filters will force spammers to change the format of their spam.

Most spammers want you to call a phone number or view a URL. Since the Bayesian filter will learn the phone numbers and URLs are spam flags, Bayesian filters will force spammers to keep setting up new phone numbers and servers.

The "from" addresses of my friends will quickly become good ham indicators, and that will be difficult for the spammers to exploit (since everyone has different friends).

Also, my understanding is that you cannot really "poison" a word for Bayesian filtering; all you can do is lessen its usefulness as a spam/ham indicator. If spammers use different hammy words for each spam, the poison's dosage will be diluted; while if they use the same hammy words for each spam, those words will then be a legitimate spam flag.

There probably are a few refinements that could be made to spam filters. I'd like to see a spam filter that, if there is both an HTML part and a plain text part, only checks the HTML. That way the spammers can include ham in the text part and it won't affect the filtering.

In summary, I am reasonably hopeful that there is no way for spammers to completely defeat Bayesian filtering. The best they can hope to do is to sneak some mildly-phrased messages by the filters.

P.S. I agree with you that the ultimate anti-spam measure would be a "for-pay" mail system. I envision a mail protocol that allows you to specify how much it costs to send you an email: you put your friends on the free list, and otherwise it costs 5 cents or whatever. If you are really famous you might raise the cost up to reduce the volume of email you receive. There should be a mechanism in place to quickly refund the costs, and friends should be identified with a digital signature, not by an easily forged string. Spam only works because it's so cheap to send many messages, so a 0.001% response rate is enough. At even 5 cents per message, spam wouldn't be cost-effective anymore. You would still get ads in the mail, but they would be less obnoxious and more carefully targeted. Send me an ad for Mexican Viagra and you won't get your 5 cents back, but send me an ad for something I actually want and I'll consider it.

steveha

/usr/share/dict/words

[HeelToe]

I thought about this after seeing my inbox spam increase to about 80 a day (the box that contains what is filtered is usually 10 per hour - my adress has been valid for just short of 10 years).

Why not check the subject or first few lines of plain (not html) text and see if 80% of it is in /usr/share/dict/words? I thought about trying this out, but have been too busy to get off my ass and do it.

Slimier than slime . . .

[mjprobst]

I saw one just yesterday that contained a list of important key sentences and phrases from the literature of common charities and political activism organizations.

In other words, if your Bayesian filter accepts those, based on your past decisions, it will detect the spam. If you reject the spam, you reject these communications as well.

Good filtering practice would dictate that one reads the junk box carefully enough to find both false positives and negatives. But the sheer bulk of mail that ends up in the junk box makes this unfeasible for many.

I have started letting these particular kinds of spam through, manually categorizing them (many words of random strings, dictionary vocabulary attack, positive phrase attack) in the hopes that filtering technology will soon advance to the point where these can be used as inputs to a more intelligent system.

Of course overhauling the mail system is a prerequisite to solving any of this long-term. For once I don't mind D. J. Bernstein's Internet Mail 2000 proposals. Of course there are other proposed systems, none of which has enough momentum to start a slow steady change. The end result of any non-consensus system will be to fragment the worldwide network of Email into competing, noncompatible systems that need to communicate through some kind of loophole or gateway. Back to FIDO-net days.

You blew it.

[raehl]

You put Viagra in there in unaltered plain text.

Re:You blew it.

[DoraLives]

You put Viagra in there in unaltered plain text.

Well...the idiots out there have to know they're going to be paying for something, don't they?

Re:You blew it.

[pipingguy]

You put Viagra in there in unaltered plain text.

Should SPAM filters check for correct spelling/dictionary check? Whoops, scratch that - wouldn't want to kill Slashdot replies.

Just great...

[El]

... now my Bayesian filter is throwing out all email from my Lewis Caroll quoting friends! Thanks a lot, spammers!

I see this too

[rockwood]

I've been using "SpamBayes Outlook Plugin" since a previous /. article talked about it.

Agreeing with this article, over the past week or two I have seen excessive about of spam being missed by SpamBayes, even after marking them as spam for improved filter, they continue to hit the inbox whereas previous absolutely no spam made my outbox. Additionally, there may have only been 2 or 3 emails marked as possible spam when they were not. And zero items mark as definite spam that were not.

SpamBayes has worked great previously, but now even it is falling short.

I feel as the spammers manipulate the conents/context of the spam, it will eventually become impossible to determine the difference without physically looking at 500+ email daily.
My primary use of email is business and not personal, therefore I cannot risk missing a client email, payment, question, etc... I've also see a progression of clients having MY emails deleted or caught in spam filters due to the business aspect and requests for payments. I feel this is primarily due to the comparison of too-often-common-phrases that a spam email and a business email contain. Such things as Click here to submit payment, or Buy these Products, Overdue etc... Even though all clients I email are only clients that contact me. I never cold-email anyone.

More spammer are using this random text as the only text in the subject and body, and using an image as the content of their email, which makes scanning even more complicated, if not impossible.

Being on the net prior to what is is today (going on 20 years), I often wonder how much control the spam actually has over the net in several aspects

• If spam were to disappear, will overhead costs decrease that greatly in order for ISP's to pass along higher saving to the consumer?
• If Spam were to disappear completely, how much faster would the Internet be?

Has anyone ever done a study to determine how much effect spam has on degrading the net, and what would it be like if all spam was gone tomorrow?

Re:I see this too

[Wild+Wizard]

We managed a score of 42.8 recently with SpamAssassin

http://spamhalloffame.abnormalpenguin.com/

Only a few slip through at a level of 5 for us, haven't yet got to piping the high level ones directly to /dev/null yet

The next attempt

[eschasi]

As the article points out, the technique isn't as effetive as one might initially think. However, there's a clear "next generation" method that I'm sure we'll soon be seeing:

Insert four or five lines of valid extra text -- lines from books, selections from recent USENET postings, etc, etc -- into the spam. Make the selection semi-random. Now do it 100 times and send 100 copies to each person on the mailing list.

One of them will get through. And the spammers will continue to work.

Re:why not filter out 1337 sp3@k?

[rgmoore]

Why bother? A decently trained Bayesian filter will be able to recognize a spam that contains a misspelled word or two, or one that contains substitutions of similar characters. Then it will learn that those modified forms are a very strong indicator of spam. As Paul Graham (the main early advocate of Bayesian Filters) has pointed out, there are legitimate reasons why you might see a mention of "Viagra" in your email, but no legitimate reason that you would see "V1agra", "\/iagra", "Vi@gra", or the like. Instead of slipping by my Bayesian filter, those variants actually stand out as particularly strong spam indicators.

You'll laugh from it...

[Scrameustache]

a while ago I got a spam that contained a few exerpts from The Raven by Edgar Allen Poe. I got a laugh of that one.

...never more ;- )

What I don't understand

[Trejkaz]

What I don't understand about this type of spam is that often it doesn't contain any actual advertisement, just three or four lines of random words, and the end of the email right there.

I don't get it. If you're not selling a product, what is the spam for?

Mind you since TMDA, I haven't been seeing any spam anyway.

Re:What I don't understand

[he-sk]

That's the text/plain part you see. The "advertisement" is in the text/html part.

I was very irritated by that, too, until one day I was testing the HTML viewer of an e-mail client.

Re:What I don't understand

[berzerke]

[What I don't understand about this type of spam is that often it doesn't contain any actual advertisement, just three or four lines of random words, and the end of the email right there.] Actually I was viewing the source of the whole email, not the text part.

I too see this sometimes. You're not crazy (at least with regards to this). I've looked at the full source, but still can't figure out what the goal is. My best guess is either they are fishing for bounces (ok, these are bad addresses; the ones that don't bounce may be good addresses), or the spamming software has a problem (bug or is misconfigured).

Re:What I don't understand

[Mr+Z]

So far as I can tell, most mainstream mailreaders (in their default configuration) will show you only the HTML component, if both variants are provided.

Thus, the spammer puts their filter-fooling gibberish in the text/plain component, and their add in the text/html component. The recipient is none the wiser about the gibberish.

Since I use mutt, and I don't have an HTML filter configured, I'm immune to the ads in most spam. Since spam advertisements like to have tracker images and so on (to measure how often people actually open spam), I seem to get relatively little spam that lacks an HTML component. Further, most spam lacks a meaningful text/plain component.

The only annoyance with this arrangement is the fact that one or two of my coworkers insist on sending HTML-only email. *sigh* (Since one of them is the father of JTAG, I don't bother trying to bend his ways.)

--Joe

Re:What I don't understand

[ElectricRook]

I hope to hell they're fishing for non-bouncing addresses, because at the moment any email which SpamAssassin says is spam, I bounce.

Don't ever do that, all spam has forged headers. You're just making life hard on someone who had their address sold.

I work for a big company, an icon the the computer business. Our mail servers get spammed a lot. We often have typical user names grafted onto the From or Reply lines. Since my user name is pretty damn common, and some of my work mail aliases are TLAs, I look at a lot of spam. When I read the headers (in a text file, not easily spoofed mail software), almost always the senders domain is not even close to the domain of the spamming machine. Go put the IP addresses into dnsstuff.com, and compare that to the hostname. These turds hack the sendmail.cf file of the spamming machine. "SallySmith@aol.com" probably did not send spam-mail from a ".kr" ISP.

Re:What I don't understand

[Trejkaz]

Whereas it might be true that all "spam" has forged headers, not all email which passes the 5.0 threshold has forged headers.

Also aren't other mail servers supposed to check that the envelope sender matches the host it's being sent from?

Re:What I don't understand

[funky+womble]

Bouncing high scoring mail works pretty well, as long as you do it right.

Re:What I don't understand

[Brian+Ristuccia]

I hope to hell they're fishing for non-bouncing addresses, because at the moment any email which SpamAssassin says is spam, I bounce.

Don't ever do that, all spam has forged headers. You're just making life hard on someone who had their address sold.

Returning suspected spam might have a small adverse effect on the legitimate holders of forged addresses, but silently deleting suspectred spam adversely affects everyone by causing misclassified messages to be silently lost. The practice of bouncing spam doesn't increase collateral damage, it prevents it. Automated processes must cause mail to either reach its destination or be returned to its purported sender. Otherwise legitimate mail will get silently lost. That's collateral damage.

This balance of burdens is fair too. Fake bounces are much easier to filter than ordinary spam. Even if the bouncing MTA engages in the unfortunate practice of sending bounces that don't contain the original message you can still filter all fake bounces with 100% reliability. Simply send each of your outgoing messages with a unique tagged, timestamped envelope sender address. Bounces which arrive at other addresses are always in response to forgeries and can be safely discarded.

Re:Should be easy to block

[kalidasa]

Most of them are using random word sequences; the random strings like xdwexe are not usually an important percentage of the overall text, no more than names might be. Besides, how large a corpus of "valid" words do you want to use? The OED weighs in at almost 0.5M; and then with another 0.5M uncatalogued scientific terms and neologisms, plus common mis-spellings and typos and jargon and dialect orthography (like our color, meter, checker, jail etc. for the Brits colour, metre, chequer, gaol) ...

If you don't want to keep the entire corpus of "valid" words in your code, you're going to have to make some compromises. Maybe you'll want to exclude words like "thou," "hauberk," and "coney." Not so good if you're subscribing to an Early Modern Literature listserv.

So you're going to need some logic to determine whether or not a "valid" word that occurs in a message is meaningful. Here's how one rather well known discussion of Bayesian filtering deals with this issue (of unknown words); this is precisely the logic that spammers with random meaningful words are exploiting:

One question that arises in practice is what probability to assign to a word you've never seen, i.e. one that doesn't occur in the hash table of word probabilities. I've found, again by trial and error, that .4 is a good number to use. If you've never seen a word before, it is probably fairly innocent; spam words tend to be all too familiar.

So, what if all the words are valid, but the sentences aren't? Grammar checkers involve a lot more logic than spellcheckers do, and are consequently a lot less accurate. Fact is, you can also fool a grammar checker filter: just pad with random quotations from novels, etc. instead of padding with random words or random misspelled strings.

So the Bayesian approach of identifying spam and ham words is a pretty effective one, given the limitations.

A method for removing spam from your life.

[crazyphilman]

It's old fashioned, and some of you will probably make fun of me for using it, but hey, I'm old school. FYI, here's my method:

1. Create manual spam filters (NOT beyesian filters) in your inbox called "Friends and Family", "Work", "Services", "logfiles", and any others you find you need. Each category applies to a broad type of email address you'll receive email from. Then create a subdirectory in your inbox for each of these filters (named the same way, naturally).

2. For each filter, build a list of people who are allowed to email you. For example, your ISP, your bank, and your phone company would probably be added to services. Just add the email address they send their messages from to the list.

3. For each filter, have the filter move messages matching the filter (From equals ) to the correct subdirectory for the filter. Then stop processing for that message, so it doesn't get interpereted by other filters. Think of this as an analogy for ipfilter or ipfw in your firewall setup -- only you're filtering emails instead of packets.

4. Finally, DELETE EVERYTHING ELSE in the very last filter.

You USE this approach by doing a quick scan of the deleted items folder to see if anything is interesting. If not, just clean out those deleted items. It's a one step operation, much easier than selectively deleting a hundred emails one at a time.

Then, you scan each of the folders you set up, IF the folder has picked up an email, focusing only on your REAL email.

This approach has saved me a HUGE amount of work lately. My life is a whole lot easier, and it's way easier than trying to train a Beyesian filter. If I don't know you, you can't get too much of my attention.

It's all about being on the list, sort of like getting into a nightclub... ;)

Re:A method for removing spam from your life.

[John+Jorsett]

Phil! Thank God! I've been trying to get in touch since I had to change ISPs and you stopped answering my email. How have you been?

Dad

Re:A method for removing spam from your life.

[ediron2]

Phil;

Twice in this thread, I see you talking about training the bayesian filter. You seem to think this is something of a burden, like training a big dog...

I think you misunderstand how easily one trains the current Mozilla email client's bayesian filter.

Day 1:
1: the mail comes in, spam included.
2: one of the inbox columns is a blue 'recycle' lookin' symbol. It is a toggle that acts like the 'new' indicator column, and a click on it turns state on or off.
3: glancing through the list, one clicks on the obvious spam, on this column. If there are chunks or patterns that help, you sort them via whatever useful column, then highlight a group, and hit a 'junk' button up in the toolbar. The messages marked as junk disappear (into a 'junk' folder), where they are automatically parsed by the bayes filter. This is what you'd I guess mean by training the filter. For me, it took about 4 minutes the first day, for over 100 messages at a 90% spam ratio. No disrespect, but I doubt you could write your whole stack of filters in 4 minutes.

Day 2:
Most of the junk mail gets caught. I'd say well over 3/4ths of the spam goes away on day 2. You see it come into your inbox, and then a second later all the junk items get the little blue icon turned on, then flash away to the junk folder. A few missed items or new junky things surface.

Days 3 and on: same thing, only better. By the 4th day, my 100 messages a day had fallen back to the dozen nonspams, plus one or two bogus items. It's an automatic 'In, ZZAP! Junk!' Every few days, I glance at the junk folder as you mention, and so far in the last 4 months I've had 5 misfiled messages declared as junk. 3 of them were atypically 'spammy' messages on usually-clean lists.

Now, compared to your way, I have:

• No rules to maintain,
• no problems with exceptions that are hard to write filters for. In my case, I'm on a couple mailing lists that broadcast all messages with the true sender (not the list) as the 'from' field, and nothing obvious in the subject line to filter on.
• Oh, and I'm lazy, too. What you describes sounds like it would take a few dozen built/tested filters, plus maintenance each time I get a new customer or the likes.
• no problems if a prospective customer sends me a request for a bid 'out of the blue',
• My way's sorta fun: Each morning, I see a message like 'getting 1 of 103 messages'... it counts up to 103, then I watch as the stack gets filtered back to just the real ones. Instead of admiring my own cleverness (advantage here to your way), I get to admire this nifty gadget that 'Just Works.' In fact, the one thing I'd like to see in this mail client is a 'Why' button, just so I could see diagnostics on a message's bayesian results. That, and a ranking to keep track of the spammiest message scores my filter ever sees!
• no lost messages from people I neglected to include in my filters.

Granted, you'll find those lost in your method in the spam folder. I say the Mozilla 's built in bayes approach is better because these messages don't get misfiled in the first place.

Oh, and people I could never expect to set/maintain filters can intuitively 'click' the spam away. That's my favorite advantage to my way.

Simple trick that is semi-efficient

[tomstdenis]

Just block the domain name/ip of the hosted images. Most spams I get come from random IPs but usually have common IP/domain name for the hosted images e.g.

hostz300001.com/ads/viagra.jpg

Or whatever. I've cut down from 50 spams to about 3 or so a day by doing that.

I bet a bayesian filter would work nicer but unfortunately I'm too lazy to mod the mail setup [that isn't mine] to get one installed..

Tom

Re:I've seen this before....

[larry+bagina]

No, that's not it. just look at the fake html tags they use.

Re:why not filter out 1337 sp3@k?

[the_mad_poster]

1337 speak isn't a big deal. It's definitely filterable.

I've begun seeing chunks of text appearing in messages that are like legitimate mini-messages in and of themselves. Sort of like a counter weight. I don't think the aim is to pound Spam through the filters now, because what's happening is spam is getting slightly lower ratings each time while legitimate messages are getting slightly higher ratings.

In other words, the spam probably won't ever be legitimate, but it's making me lower my threshold for what is spam more and more. Eventually, I'll get to the point where some legit messages will cross over into being labeled as spam and spam will go through legit because the thresholds will be so close together as to practically overlap. It's also killing my ability to keep a spam trap that I can use to quickly train filters.

Whether this scene will actually play out and the "plot" will be succesful or not remains to be seen, however.

Bigger beavers are the very reason for enlargement

[tepples]

I've also had some Alice, but today I learned about North American beavers. I had no idea they were so large.

That's exactly why you need to ENL4R9E `/U0R P3N1S!!!1!1 because North American women have 1arqer beavers and thus require a bigegr PE/\/i5 to st!mu1ate them.

I keep praying for that silver bullet

[The+I+Shing]

I keep praying for that silver bullet that will end spam forever.

The thing that seems so insane about spam is that it's gotten to the point where apparently all spammers care about is getting past your filters. They must know that you're going to delete the message the moment you physically set eyes on the word "\/1A6RA," but it's as if they don't care. They just want to induce you to look at the word, and force you hit the Junk Mail button or Delete key. They just want to waste your time filling your Inbox with their insane crap.

It's like they're nasty little demons spitting up madness from the bowels of hell for the pleasure of their horned master. I can't picture a spammer as a human being at all... I always imagine hooves and a pointy tail, a slimy, crooked red finger pushing its sharp, black, malevolent fingernail into an eagerly pulsating "SEND" button.

Read any interviews with these people? My god, they really are monstrous. The arrogance, the pomposity, and the self-justification spewing from each of their mouths combine to form a portrait of a person so utterly bereft of morals, ethics, or humanity that I just want to clip the spammer's photo out of the magazine, scan it, and send it to X-Wipes to be made into toilet paper. I'll let you imagine the rest.

I've said it before and I'll say it again... spammers have done more than their share in turning the wonderful information highway into a sleazy backalley of filth, perversion, and fraud. Every day as I wait for my email client to download and process the two hundred or so spam messages that are clogging up my inbox, I sit in silent hope, praying that someone will find a way to end the madness at the source, and cut the spammers out of our lives forever and ever, amen.

Re:I keep praying for that silver bullet

[Steve+B]

I keep praying for that silver bullet that will end spam forever.

What it will take is the enforcement of existing computer-cracking laws. Spammers will then have a choice between 5-10 year sentences or sending spam with no munged words, forged headers, misleading subject lines, etc.

Re:As if spam wasn't a big enough waste of bandwid

[fermion]

This is another subtle feature of modern email that allows spam to propagate: the HTML/RTF mail. Many mailers now default to the HTML setting. This is to allow lusers to put in obnoxious color schemes and use every font on their computer. It reminds of 15 years ago when we were first doing desktop publishing.

The real benefit is to the spammers. They can put inline images that make the email look like it came from a legitimate company, they can have the text version look random, but the HTML rendered version human readable. Almost all spam is going to be HTML, and my experience is that 95% of HTML mail is spam.

Which means that if we filtered HTML most spam would go away overnight, and the bandwidth wasted by the remainder would be significantly reduced. We would also significantly reduce the security risks. Unfortunately the lusers that use services such as Yahoo! would also be filtered. I wonder if the decision to default to HTML is purely to satisfy the general customer, or a feature targeted directly to facilitate advertising.

Word Salad

[JohnGrahamCumming]

Weird. I am talking about this at the MIT Spam Conference on Friday and on a technique that can break a Bayesian spam filter.

John.

How I deal with spam

[mabu]

I have had my main e-mail published and unchanged since 1995. It's probably on 99% of all spam mailing lists. One of my servers handles about 600 POP3 accounts. My stats currently indicate that now more than 80% of our SMTP traffic is confirmed spam.

I don't believe in content-based filtering. We have a strict policy of not examining in any way, shape, or form, the content of any e-mail on our network.

We deal with spam by implementing an array of fully-tested, fairly conservative relay blacklists which block the inbound SMTP connection before the junk mail is even transmitted.

In more than two years of operation, we've only confirmed about six legitimate e-mails that were blocked, and we handle tremendous mail volume. It's an easy matter to "whitelist" anyone who might end up getting RBL'd to make sure the client can communicate with who they want. In EVERY case where a legitimate source was blacklisted, it was shown their ISP was irresponsible and the listing was valid.

In addition to using RBLs, we also have an array of hard-coded IP blocks that our server will not accept mail from. This covers a good bit of the rogue Asia-pacific ISPs that are the largest source of open relays. Something as simple as blocking major portions of 61.* have shown to reduce spam by 30+%. Anyone legitimately in China that needs to communicate with our network can be quickly whitelisted. Ironically, most of the ISP SMTP relays are not near the same broadband IP ranges - they obviously know how effective this technique is.

With RBLs and hard-coded spamming in effect, instead of 200 spams a day, I might get 3-5. As soon as I get new spam, I report it to Spamcop, and I notice a quick reduction in future spam of that nature immediately.

We're now getting near the point of blacklisting the entire 24.* IP block as well - which encompasses, among other things, a large portion of Comcast IP blocks that Comcast can't or won't control.

I'd like to see more ISPs simply refuse to accept mail from rogue networks. Then these networks would have to be more responsible.

Let me preface all this by saying our policy is to whitelist anyone who complains they have legitimate mail being blocked. For some strange reason, we don't hear any spammers making these requests. That's a shame because I'd be happy to visit them personally to make sure their situation is resolved in a mutually-deserving manner.

Re:How I deal with spam

[vacuum_tuber]

mabu wrote:

We're now getting near the point of blacklisting the entire 24.* IP block as well - which encompasses, among other things, a large portion of Comcast IP blocks that Comcast can't or won't control.

That's the real problem with blocking by IP ranges. I'm in 24.* because it's the only high-speed Internet I can get. It's not Comcast but I see tons of probes from infected machines local to me in my area of 24.*. But I'm not the only legitimate business living in a broadband network that contains tons of clueless residential subscribers. What would you have us do, get T1 lines and $3,500/mo ISP feeds? Go back to dialup? What's wrong with this picture?

I have a static IP, my own domains, and run my own Web and email servers. My site is business, has tons of information on a niche IT subject, has forums, and some growing e-commerce for parts and equipment in my niche.

If and when you block 24.*, either your users won't be able to write to me or I won't be able to reply to them, and if you follow the pattern of a lot of clueless admins out there you will also block to postmaster, so it will be impossible to let you know that you're blocking legitimate traffic.

Anyone legitimately in China that needs to communicate with our network can be quickly whitelisted.

Aside from the amusing notion of "Anyone legitimately in China" (what's the alternative -- being an illegal immigrant?), just how would a sender of legitimate email from China to a user in your network let you know that you are blocking their email? How would they let the person who can't receive their mail that the block is preventing them from communicating?

Most of my business contacts are initiated by the OP by email, from all over the world. If someone can't reach me because I block more than I should, that person will likely never reach me and I will never get any business from them. From my business perspective that would be exceptionally stupid network management.

I filter inbound spam by whitelist and then content. I get zero false negatives in my New Mail folder at the price of having to pick up some new correspondents from the SPAM folder and whitelist them. At least that way, though, I have a folder of truly confirmed spam to send to SpamCop by script, and thanks to the recent trend of gibberish tacked onto the Subject and other highly human-recognizable signals in From and Subject visible in the folder list, I no longer have to actually open any messages to confirm they are spam. Even when I do, though, my mail client doesn't retrieve any graphics from any servers.

Not retrieving graphics doesn't save me from confirming I am here, though, because as soon as I pass the confirmed spam to one of my servers the spam is first sent to SpamCop, then all the URLs are parsed out, spammer's email addresses are substituted for all occurrences of my email address in the URLs, spammer domains are substituted for any occurrences of my domain, and scripts then download the entire spam sites, once for each URL they have sent me.

That still leaves encoded values in the URLs, which I presume contain at least a cross reference to the email address the spam was sent to, but I don't care. "Send me spam and get your site downloaded. More spam -- more downloads." Most spam is, after all, an explicit invitation to visit a spamvertised Website.

Re:How I deal with spam

[mabu]

That's the real problem with blocking by IP ranges. I'm in 24.* because it's the only high-speed Internet I can get. It's not Comcast but I see tons of probes from infected machines local to me in my area of 24.*. But I'm not the only legitimate business living in a broadband network that contains tons of clueless residential subscribers. What would you have us do, get T1 lines and $3,500/mo ISP feeds? Go back to dialup? What's wrong with this picture?


We're not blocking all of 24.* right now because there are some people like you on that block, but if Comcast and other ISPs that are in that class A don't get their act together, you guys are likely to have problems, because I'm sure I'm not the only person that notices that net block is a never-ending source of problems.

I am also of the believe that many of these large blocks are DULs. If you have legitimate permission from your ISP to run your own servers, I'd hope they would separate you in the IP space from the DUL RBLs. If not, that's an issue your ISP should consider.

I don't have much sympathy for Comcast however. They are proving to be THE worst American ISP in terms of controlling spam.

Let me also say something.. the 2+ tier backbone providers in most cases don't have the performance of someone like Worldcom (as much as I'd like to not admit it). You can get by with less bandwidth on a higher-performing network that doesn't go through a bunch of goofy networks that don't have their act together. Shop around if you find yourself serviced by an ISP that is indescriminate about who they do business with. There are always options.

just how would a sender of legitimate email from China to a user in your network let you know that you are blocking their email?

All relay-blacklisted e-mail is returned to the sender with an error message that redirects them to a web page with an e-mail form they can use to contact us. The only downside to this is that we have to expire the deferred mail cache more quickly than we would normally prefer, but since the server in question is just for inbound and not outbound relaying, it's not a problem.

Spamcop-RBL'd mail similarly echos an error message to the user with a URL they can click on to actually show the spam history of the smtp relay in question. It works very well, and best of all, it dramatically cuts down on the bandwidth that spammers consume.

Thanks for reporting to Spamcop. I really like their service too. The problem is, there are so many Asia-pacific and Comcast IPs, Spamcop isn't as effective when spammers have such a diverse array of IPs to hijack, so we've had to resort to some additional block blacklisting. It has proven to be very effective and we never leave legitimate users in the dark. If you had a mail relay in the block and tried to send me mail, you'd get a message and a quick way to contact me to have yourself authorized.

I use that method

[KalvinB]

includes sourcecode

Mercury Mail's session logs indicate a closed connection to indicate where e-mails begin and end but if you're using something else there's a RinetD mod with source which logs e-mails in such a way so that ripping through them is easy.

My filter is all of 23KB and I get virtually no spam. I update every once in awhile when a spam gets through.

I also have a couple sub-domains that point to a spamcan on my home connection which I use to bait spammers so I can preemptively filter them out without paying for the bandwidth.

Ben

Spam Poetry

[GoogolPlexPlex]

I get a lot of spams with contain 3 random words in the subject. Currently, I collect the subject lines in a text file and arrange them to make poetry. A few sample verses:

i'll take this
open window into
imflammatory tales about
pieces of herring

shooting caused panic
that surely only
constituted a prelude
or else maybe
had ever happened

I Am An Anti-Business Pinko Pig

[Schizoid+Genius]

If you've ever had an argument with a sp@mm3r, you know how self-righteous they can be. They have a right to "freedom of speech", they are just trying to run legitimate businesses, yada yada yada. And you know what? I'm beginning to think they have a point! Think about it...

First, I demand that I retain ownership of my own inbox.

Then, I take a stand against the raping of open proxies and abuse of malware-infected zombies.

N0\/\/, I ha<!-- cobalt liqueur -->ve the g@<!-- vixen nuclear -->11 t0 s.a.y..t.h.a.t U51NG R/@/N/D/()/M g1bber<steamboat>ish +0 @v0iD f^i.l*t,e.r\s i|s w.r.0.n.g.

Mary had a little lamb;
Its fleece was white as snow.
And everywhere its address went,
The spam was sure to flow.

My, my. What won't I do to destroy healthy, legitimate, all-American Internet commerce?

Feature added

[Felinoid]

In the past many ISPs would add filters and NOT tell the users they were doing it.
Now a days however ISPs (most notably Earthlink and MSN) advertise spam blocking as a feature.
If people wanted this stuff you'd think non-filtering ISPs would advertise "You get ALL your e-mail".

But back to the original point. Spammers have used misleading topics in e-mail if only to make sure you don't delete the message. That and creating spam lists based on people who DO NOT like spam or of people who have manually opted out of spam lists.
The people who actually make money with spam don't care about selling products via spam as they sell spam services. The people who sell stuff via spam aren't making money becouse they are reaching markets who are wholely disintrested in buying stuff from them.

Some ideas

[Boyceterous]

1 - I've posted about this before; since I can look at just the subject, sender, and recipient fields and figure out if an email is spam, then I should be able to get/write a program to do that also, and therefore not have to even download the entire garbage content. I'm using my own email header spam-scoring system that gets about the same results as more sophisticated filters that examine email content.

2- Most of the solutions to spam have involved ideas where senders pay or trying to swamp spammers with so much return junk that they get annoyed or driven out of business. Is it feasible to use an email system where the email content does not hop from one server to another? Just send the headers and where to get the content. In other words, when an email is sent, it would sit on the SMTP server provided the sender's ISP(s). That way recipients have to go and get it ( just like web pages, right?) It seems to me that would cut way down on traffic, could provide accountability, and alleviate the ridiculous burden on recipient's ISP to provide storage for every idiot that wants to send their trash to my e-doorstep. ISPs would be pressured to either charge for holding millions of emails until they're read, and at the same time quickley get blacklisted if they allow spammers to operate from their servers - and the sender ISPs know who they are, which might make it possible to get the actual spammers more directly. Seems like such a system might at least direct more of the cost towards the sender side rather than the recipient side.

What about Bayes on word n-tuplets?

[adrianbaugh]

It seems to me it would be much harder to poison a filter that did Bayes by splitting email into word pairs or triplets and assigning ham and spam probabilities for each. That way the bad grammar and random word lists would be extra-bad. I suspect longer sequences would become harder and harder to foil. They might require extra training of the database, but if you're getting lots of spam that isn't really a problem. Perhaps the word sequence length could be configurable.

Re:Bayes filters hubert balloons c6as6g89y9aigah98

[mabhatter654]

to clarify it, say you report a spam to Yahoo, they most likely are getting 10,000 of the same subject from similar IPs so they just drop the connection after the subject is entered [that is an elemtary feature of even the oldest email servers]...it never gets sent thru the system or to your spam filter. But now they have to run the spam filter on every single email...costing more time than simply dropping it because of subject...remember they deal with 10,000 of the same spam at once in a day....except now it dosen't look the same every time.

Re:why not filter out 1337 sp3@k?

[NickDngr]

if you can write me a regex that filters that out 80% of the time with 0 false positives, i will pay you 6 figures a year to sit on a chair in my museum as one of life's "mysteries".

Pay me six figures a year and I will sit in a chair and do it for you manually.

Re:why not filter out 1337 sp3@k?

[letxa2000]

You're completely right. I love it that spammers try to conceal their mail with weird combinations of words.

Examples from my corpus:

VIAGRA: 99.797%
V!AGRA: 99.9999%
AGRA: 99.9999% (from things like VI.AGRA)
IAGRA: 99.9999%

PORN: 98.573%
P0RN: 99.9999%
PR0N: 99.9999%

Plus, the trick is looking for things that give away spam that aren't just words. I call them "characteristics." For example:

Various pharmacy related terms: 99.9999%
HTML using % escape sequences: 98.789%
Http:// references that don't use www: 85.538%
=?ISO- in Subject: 99.9999%
Suspicious domains (BIZ, BR, PRO, etc.): 99.174%
1 "Adult Term": 70.8%
2 "Adult Terms": 85.7%
5+ "Adult Terms": 99.9999%
5+ HTML Comments: 92.0%
10+ HTML Comments: 98.3%
30+ HTML Comments: 99.9999%

In short, there are so many aspects of a message you can analyze and make "Characteristics" that my Bayesian filter can often make a decision entirely based on the characteristics without even looking at some of the terms used within the message. But if the characteristics aren't damning enough, the content virtually always is.

Perhaps There's Hope After All

[Kurt+Wall]

So, the spammer sub-life forms start inserting filter-foiling gibberish, which has various effects:

1. Foils anti-spam filters - obviously, this sucks
2. Makes it easy to detect visually - this bites if you don't even want to see spam
3. Makes the spam itself hard to read - and the downside of this is?
4. [insert favorite misfeature here]

It occurs to me, though, that if spam gets hard to read, no one reads it. If no one reads it, spam ceases to work. If spam ceases to work, spammers are out of work (sniff -- not!).

So when spam becomes so convoluted to get past anti-spam systems, it will become too convoluted to work. We can only hope.

Habeas SWE in spam

[YetAnotherDave]

Has anyone else seen a spurt of Habeas SWE headers in spam?

I'd never seen any until this week, and suddenly I've got like 5/day.

I forwarded them to the good folks at habeas, hopefully the spammer will get sued into oblivion, but it's forced me to re-score SWE with a much lower bonus in spamassassin...

http://habeas.com/servicesHowSWEWorks.html for those who don't know what I'm talking about, btw

This brings about an interesting result...

[La+Camiseta]

Because of this, my baysean spam filter is gatering statistics as to what words/letters together create legible paragraphs, sentences, words, etc. I.e. it filters out paragraphs that aren't realistisc nor make sense.

That makes me wonder if all of this statistical data would be of use when it comes to some sort of Natural Language Processing.

Free pi||$ !!!1!!

[Flingles]

Is it just me or do many of the spams lead no-where? I actually tried going to a few of them in my junk mail folder, and half of them are broken links! They must just like to annoy people, because they are getting 0 sales off a broken link (as opposed to %0.0001 response).

Also, it seems to me we need a pay per email system fast. There are a few holes to patch though. Imagine, person presses send, and pays their ISP say 5c. Already there are several holes, every ISP in the world would have to comply to stop spam. So change it round, a person presses send, and the destination ISP says "wait, you need to pay" -unless 5c is given to the receiver's ISP the email is never sent. Any ISP who doesn't have the software to pay the other providers will obviously lose their whole customer base, thus forcing them to use pay per email. Another hole is that legitimate newsgroups would operate at huge costs and businesses with many employees would be paying hundreds per day. So, make a deposit system, person sends email-5c is payed to receiver's ISP, and when they read it a button is displayed to give their 5c back. If not the ISP gets to keep a whole lot of 5c's (hopefully lowering prices)

If this were possible, spammers would operate at a huge loss, because no one would send back their deposit.

Gibberish, or code?

[cr0sh]

I, too, have noticed these seemingly random words that seemed to have nothing to do with the main text of the spam. I have also noticed the "gibberish words". One of my thoughts was that it was for defeating or bypassing bayesian filters - and likely, that is the case. But my thoughts turned to another possible use...

What if spam and the spammers software - was actually being used by a third party in a surepticious manner to send/receive messages? Kinda like plaintext stego. Maybe the software used by spammers is backdoored by this third party - he sends instructions to the machine(s), maybe via a virus or something simpler, the spammers send their messages, but "unknown" to them the spams have this garbage at the end. The spammer doesn't really care, maybe he bitches at whatever passes as tech support for the spam software. Most people who recieve the spam see the stuff as garbage, or filter busters. But a certain group of the third party's friends - they have special email software that downloads these spams, and strips the garbage out, decodes it, and reassembles it into the real message. Maybe each spam only contains the equivalent of a couple of characters after decoding (maybe the garbage is actually packets telling order in the sequence, and other info to reconstruct the message) - but over a week or so, an entire message could be sent...

What is the possibility of that? Occam's Razor suggests otherwise, and filter busters are probably what the stuff is - but...what if...?

Re:Gibberish, or code?

[ckolar]

This really exists, www.spammimic.com. I'd swear that /. did a story on it when it came out. --ck

Re:Gibberish, or code?

[Steve+B]

What if spam and the spammers software - was actually being used by a third party in a surepticious manner to send/receive messages? Kinda like plaintext stego. Maybe the software used by spammers is backdoored by this third party - he sends instructions to the machine(s), maybe via a virus or something simpler, the spammers send their messages, but "unknown" to them the spams have this garbage at the end. The spammer doesn't really care, maybe he bitches at whatever passes as tech support for the spam software. Most people who recieve the spam see the stuff as garbage, or filter busters. But a certain group of the third party's friends - they have special email software that downloads these spams, and strips the garbage out, decodes it, and reassembles it into the real message. Maybe each spam only contains the equivalent of a couple of characters after decoding (maybe the garbage is actually packets telling order in the sequence, and other info to reconstruct the message) - but over a week or so, an entire message could be sent...

This would be a very useful method for terrorists -- it would not only conceal the message itself, but also would defeat traffic analysis (i.e. nobody would be able to tell who sent or received the message -- it's sent by a spam king and received by everybody).

About the only way to guard against it -- or find out if the terrorists are already using this channel -- is to anal-probe all spammers for their client lists, then anal-probe all the clients. Fortunately, the obvious criminal content of 99.9% of spam provides sufficient probable cause for such action.

Sorry

[Douglas+Simmons]

"Getting the word out" to stop patronizing spammers will not curb spamming because spamming is a free, quick and easy method to reach however many people you want. Once you find yourself a list of harvested email addresses and an open relay, sending an advertisement to hundreds of thousands of people with a few clicks for zero dollars is something you would not be deterred from doing because of diminished hit rates caused by a campaign you're suggesting.

As time passes, more people figure out how to spam and more email addresses get snagged by harvesting. This will keep the flow of spam increasing exponentially no matter what curbs we come up with. At least it's creating a market for anti-spam products, as well as offering the larger ISPs something to claim they know how to defeat in their advertisements. Good for the economy.

Now what we do have a shot at getting rid of is real-life leafletting. Nothing pisses me off more than these Bush-approved illegals obstructing my path on the sidewalk to shove some piece of paper advertising cheap suits in my face. Maybe this is only something that bothers fellow New Yorkers though...

The real reason behind the weird typing in spam:

[phaze3000]

Narcoleptic spam creators

Re:I receive this today

[cmacb]

I think what you have there is a list of next year's Grammy award winners.

Use SPF!

[TheMidget]

Don't ever do that, all spam has forged headers. You're just making life hard on someone who had their address sold.

That's what SPF is for. It allows the owner of a domain to publish a specification of IP addresses which are allowed to use that domain name (foo.com). If somebody, who claims to be pete@foo.com now attempts to send a mail to an SPF-enabled receiver, his mail is rejected, because his IP is not in the foo.com approved set.

Rejection happens immediately on submission, so the mail stays on the fraudulent server.

"SallySmith@aol.com" probably did not send spam-mail from a ".kr" ISP.

Nor would that mail be accepted by an SPF-enabled sendmail. Indeed, AOL is one of the first major ISPs to have published SPF records.

Re:gibberish... Solution: Spellcheckers

[G4from128k]

I'm surprised that spam filtering software doesn't just just run a quick spellchecker on the email. So much spam tries to evade literal word filtering by clever spellings of p3nis and \/iagra. But if we filter out emails with too many spelling errors (and punctuation-addled non-words) in the subject and body, then all those clever ploys are for nought. (As a side benefit, more people would be careful about spelling in legitimate e-mails).

Fitering out misspelled emails puts spammers in a real quandry -- spell words correctly (and get filtered) or misspell (and get filtered).

Threshold? Bah!

[glpierce]

I'm worried about spammers realizing that they can effectively negate the usefulness of filters without breaking a sweat (spammers, please don't read the following). If they switched from super-short fake messages to mock-real messages (a paragraph or two long, a legit-sounding subject, etc.) and they all sent out millions a day, everyone would be forced to turn off their filters. There would be no effective to distinguish those fake messages from real messages for most people (without a whitelist/blacklist system, which does more harm than good for most).

In such a situation, email would grind to a halt. Anyone who kept trying to train their filters would just end up blocking most legit emails, and those who don't train for it or turn off would be flooded with real and fake messages they can't distinguish between. The messages would even be profitable, so long as your "friend" included a link to some "cool website" that happens to sell [fill in spam product here]. Go ahead and train your filter to block emails containing URLs. Hah! Maybe if you don't have a job, friends, or buy things over the internet you can, but for most it's just not going to work.

Re:It's SO gibberish

[B'Trey]

Certainly it is. And for those who use high-ASCII or UNICODE, it isn't a valid technique. That doesn't mean that it isn't a valid technique for the millions of people who don't use anything outside the normal ASCII characters.

I use POPFile, which is a perl Baysean filter. It works quite well even with spam which includes garbled words. I haven't tried playing with it yet, but it seems like it would be relatively straightforward to check for the number of words which are not already in its dictionary. Aftern the initial training, an email with more than a few new words is highly likely to be garbled spam (or from someone who received a new Thesaurus for Christmas.)

average word length tests

[geoff+lane]

when SCO, sorry CoS, were spamming ARS a couple of years ago it was possible to kill 99% of the spam just by computing the average word length in the spam. Ordinary humans generated messages with an average word length of 4.5 letters, CoS random word spam had an average word length of 5.5 letters.

I was surprised that such a simple test worked so well.

One day I must re-implement the test for email spam and see if it works as well.