Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spam Solutions from an Expert

Posted by CowboyNeal on from the separating-the-wheat-from-the-chaff dept.

Mod N writes "SecurityFocus has posted a nice survey of anti-spam technologies by spam expert Neal Krawetz, in which he delves deeply into the specifics and pitfalls of the numerous proposed solutions. Krawetz makes it obvious that securing the email infrastructure is a very complex problem that many of the current (simple) solutions can't solve alone."

60 of 420 comments (clear)

  1. Proof? by monstroyer · · Score: 5, Interesting
    The marketing myth emphasizes two misconceptions: (1) a human must perform the challenge, and (2) these problems are too complex for automated solutions. In truth, most spam senders ignore these CR systems because they do not account for a large recipient base, not because the challenge is difficult. Many spam senders use valid email addresses for their scams or for validating mailing lists. When CR systems begin to interfere with spam operations, spammers will automate the responses to these challenges.

    Excuse me, what? Where's the proof? That's quite a brave statement to be making considering i've never seen this cracked, ever.

    I challenge someone to find an automated response to C/R.

    I did hear of a theory where C/R was being cracked by taking the C/R image, posting to a porn session, and letting a seeing person do the work. However, i've yet to witness this in practice. Show me the automated response to C/R that exists beyond a blog theory, and i'll believe. Until them, i hardly consider it "marketing hype".

    1. Re:Proof? by LostCluster · · Score: 4, Insightful

      That's like saying a all theoretical attacks is not worth securing against somebody's fallen victim to it. Sure, there's some way-out ideas that can be dismissed that way, but this one seems so simple I'm pretty sure somebody who runs both spam and a porn site could pull it off...

    2. Re:Proof? by ender-iii · · Score: 3, Insightful

      Is this a joke? He just asked for proof and you got modded up by offering none?

      --
      ender-iii
    3. Re:Proof? by ookabooka · · Score: 5, Insightful

      I cant even get my scanner to correctly identify a regular text document, it gets most of it, but it still misses a lot of letters. A computer program could do this, but you would need either a very large database of the letter pictures (most places use all different kinds of text pictures, and add in a degree of randomness). Or you would need a very developed algorithm to detect the letters (in which case you would be making oodles of money from the scanner industry. . . spam would be the least of your worries.
      In the end i think it is inevitable that software will eventually break this system, but as soon as it does, there will be another system in place. . . .

      --
      If you are about to mod me down, keep in mind that this post was most likely sarcastic.
    4. Re:Proof? by michaeltoe · · Score: 3, Interesting
      Yeah, true... I didn't really provide proof... but proof would require me to go out and program something fairly complicated, and I'm in the middle of midterm exams.

      The point I was making is that, while noone has done it yet, there's no theoretical reason why it shouldn't be possible.

      It's like saying "Oh, that mountain's to big, no one will ever climb it." -- If people are motivated enough, they can accomplish just about anything... and spammers seem clearly motivated.

    5. Re:Proof? by LostCluster · · Score: 4, Interesting

      Yes, but such a human-check is unlikely to be beaten by a computer 100% of the time. If a log of the failed challenge attempts is kept, the source of repeated failed challenges can be ruled out from getting any more challege attempts, or even just one failed challenge with hundreds of successful ones coming from the same IP space... then the hacker source cna be flagged and ruled out.

      The best defenses involve several lines so that when the first gets beaten, another one tightens up against whatever the first line learned from its defeat...

    6. Re:Proof? by michaeltoe · · Score: 3, Interesting
      True, or you could just come up with an authentication method that doesn't involve visually identifying numbers and letters... like, showing a picture of an apple, and having people type in the name of the fruit.

      Then again, that becomes less reliable and more ambiguous. You could keep on pushing for more difficult to interpret puzzles, and the technology to interpret it can just push back. People will just end up getting annoyed by it.

      Sooner or later that idea runs out of gas... it's only a temporary solution.

    7. Re:Proof? by jazman_777 · · Score: 5, Funny
      The point I was making is that, while noone has done it yet, there's no theoretical reason why it shouldn't be possible.

      I think you have a future in marketing.

      --
      Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
    8. Re:Proof? by Elwood+P+Dowd · · Score: 4, Insightful

      Challenge / response systems are broken anyway, even if spammers can't break it.

      Why? Because from: is forgeable, and viruses use other people's real addresses constantly. Every day, one of my 40 spam emails is a C/R email from someone that I've never heard of. Am I going to click the link and authorize my email address? Fuck no. But I'll never be able to send email to that person. I realize that's a *tiny* incidental, but it's still broken by design.

      If your C/R system includes a solicitation to purchase said C/R system, you're a fucking spammer. Fuck you.

      --

      There are no trails. There are no trees out here.
    9. Re:Proof? by Saltcreek · · Score: 3, Informative

      I challenge someone to find an automated response to C/R.

      Students at Berkeley have already beaten the C/R system setup by Yahoo! and with a selection of 191 different version of text obfuscation they were able to return a 92% success rate. In much more detailed images, with random background textures and overlaying text they were only able to achieve a 33% success rate but I am sure with time they would be able to do better.

      In a paper published by Greg Mori and Jitendra Malik they explain the methods used to defeat the system. For the full write up you can visit their site on Breaking a Visual CAPTCHA

    10. Re:Proof? by chrisbtoo · · Score: 4, Interesting

      Well, this is by no means a proof, but maybe a method.

      1) Get image. I followed your link and got given this image.

      2) Pre-process. I loaded it into the GIMP and did Image->Mode->Greyscale, which yielded this image. Then I did Layer->Colours->Threshold, which yielded this image.

      3) Match characters. At this point, you have a monochrome image, in what appears to be a known font. The chars don't even appear to overlap, so a simple 1-for-1 match is achievable. Scan left-right, top-bottom until you see a 10x10 (or whatever) section with a black pixel. Scan down and right from that pixel until you see a character.

      I don't have the time to code it up right now, but if someone wanted to pay me to do it, I'm pretty sure it's acheievable - not least because a whole bunch of the more difficult code is available for me to use under the GPL.

      --
      Registering accounts later than some other chrisb since 1997
  2. Oh Well by dirkdidit · · Score: 4, Funny

    With the way the Chinese government keeps making their own versions of everything, maybe they'll have their own version of the Internet. That shoud alleviate a good deal of the spam right there, given that their Internet will probably be incompatible with ours.

    1. Re:Oh Well by _Sharp'r_ · · Score: 4, Insightful


      The Chinese government will probably solve any internal spam problem pretty quickly.

      I mean, if you start by shooting all convicted spammers, the profession tends to stop attracting replacement members.

      --
      The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
  3. Re:Darth Vader by Anonymous Coward · · Score: 4, Funny

    pishhhhh *breathe*
    I find your lack of junk mail disturbing.

  4. Don't forget SMTP+AUTH by RT+Alec · · Score: 4, Informative

    Good overview, all things considered. I would like to add to one of his conclusions (from part 1):

    IMAP can be used with SSL and supports secure authentication, but not all servers support this. SMTP also supports SSL or TLS but again, many organization's servers do not support this or use only server-side certificates.
    This conclusion is correct, but why is this considered a stopping point? Mail admins-- get off your collective butts and add encryption and authentication to your mail servers! The author also forgot to mention that server side certificates are not necessary for SMTP, SMTP+AUTH addresses this quite nicely.

    Note that such measures are not necessary for most users. Home users that use their ISP's mail server don't have to implement any of this, since the ISP can already account for the user. Let us not forget that "most users" do not have the e-mail needs that many Slashdot readers do. For those needing roaming access and multiple addresses, use IMAPS and SMTP+SSL+AUTH.

    1. Re:Don't forget SMTP+AUTH by zcat_NZ · · Score: 3, Insightful

      TCP is NOT flawed. Sure you can spoof a packet or two, but (assuming reasonably strong sequence numbers) you can't fake a whole connection unless you are actually getting the reply packets.

      mail is likewise not flawed; It is fairly hard to find an open relay these days; it is all-but-impossible to find one that doesn't put your IP address in the headers. That's your _REAL_ ip address. The one that ends up in RBL's so nobody accepts your mail any more.

      The big flaw is home users; they keep getting pwn3d. And you can't even blame Microsoft for this any more. The viruses are arriving as a zipped, passworded attachment FFS. We've long since passed the realm of just clicking on an executable!

      Here's how I see it; the antispam community were on the right track from the beginning. Blacklisting has made it impossible for spammers to spam from their OWN connections, even overseas, and pushed them to finding home users (to spam from, or to attack the blacklist sites). Now they're talking about changing the entire mail system, persuade thousands of users to change the way they do email? Hell no, we've almost won. We just need to educate enough END USERS not to get pwn3d, with the result that the DDoS attacks get cut down and the remaining much smaller number of spam sources can be more efficiently blacklisted.

      Or we can force one more 'wafer thin' kludge onto the entire mail system, which the spammers will just find a way around next week anyhow.

      --
      455fe10422ca29c4933f95052b792ab2
  5. Cut Your Junk Mail By 50% !!! by Snagle · · Score: 5, Funny

    Just buy porn in magazine format instead of registering for it online :)

    1. Re:Cut Your Junk Mail By 50% !!! by redJag · · Score: 5, Funny

      What is this buy? *squints suspiciously*

  6. Solution: Stop Spam at the Source by ElliotLee · · Score: 5, Insightful
    According to the article, there is no good lasting solution to spam. Indeed, there isn't, but we need to consider more the reason behind the spamming.

    Why has spam grown to what it is today? It is an undeniably effective means of cheap marketing. What we need to do is come up with a way to stop this not on our end, but by looking at as a social problem or making it non-worthwhile to the spammers. If nobody ever responded to spam, spammer wouldn't bother.

  7. Deterrents by erroneus · · Score: 3, Insightful

    At this point in the game, I am honestly surprised that we haven't heard of violence resulting from spam affliction.

    I don't know about anyone else, but I'm pretty sure I'm not alone in this. I have, at times, felt utterly enraged at all the spam flying about and further all of the innocent and naive people that are being abused by all of this.

    I know if I feel violent internally, then surely there are those with less self-control out there who will eventually act on his or her rage... perhaps the parent of a child afflicted with porn spam?

    I think if two or three spammers are attacked physically, it might give them pause. Frankly, I'm amazed it hasn't happened.

    1. Re:Deterrents by LostCluster · · Score: 3, Insightful

      Of course, the worst spammers make it impossible for the average user to ever identify the true source. I guess you are just giving them another reason why they need to do that.

  8. Open Relays by QuePasaCalabaza · · Score: 4, Interesting

    The truth is 90% of spam comes from open relays, that is SMTP servers that can be tricked (a bit like lying to a 5 year old) into accepting and sending out massive ammounts of mail. Simply blocking open relays using The Open Relay Database at http://www.ordb.org/ or other open relay checking utility will save you lots of time if you run your own mailserver. When we can bascially negate the usefulness of open relays to spammers, they will then have to rely on their own bandwidth for the most part providing they cannot comprimise other "closed" relays.

    1. Re:Open Relays by SSpade · · Score: 3, Informative

      The year 2000 called, they miss your opinions.

      In other words, your data is so out of date as to be positively misleading.

      Open relays are dead. Open proxies are so 2003.

      All the cool kids are using virus distributed trojans these days, some of 'em proxies, some dedicated spamware.

  9. Let's use the Patriot Act for the benefit of good by mao+che+minh · · Score: 5, Interesting

    I am in full support of using the broad-powered, freedom crushing Patriot Act in apprehending and imprisoning spammers. We might as well get some good out of it.

  10. There's one billion people in India... by 3770 · · Score: 4, Funny

    that the challenge/response could be outsourced to.

    Only kidding (I think).

    --
    The Internet is full. Go Away!!!
  11. Good old fashioned riddles by KalvinB · · Score: 4, Interesting

    My free anonymous (as in they can only be traced back to a common e-mail account on my server) e-mailer uses a simple quiz to keep spammers out.

    The form page records the IP address of the visitor along the with the question number they were given in a file named with the IP address. That number is never sent to the client. When they hit submit the file of their IP is opened, the question number is read in and the answer given by the user is compared to the stored answer. The file is then deleted and if the answer was correct the e-mail is sent. Otherwise it's not.

    This forces my custom form to be used to be able to send the e-mails. And it's not possible to simply keep refreshing the submit page to keep sending the message.

    And the challenge is in the form of old riddles and a couple new ones like "what's your favorite color?"

    Things a bot would never get but that anyone who knows how to use Google can. Someone would have to program a custom bot with the answers in order to even attempt to spam. And even then since everything goes through my mail server nobody is going to sneak garbage past me for long and I know who your ISP is.

    I also include a disclaimer with every e-mail. It'd be quite silly for me not to.

    Ben

    --
    Work Safe Porn
  12. This will never end by superpulpsicle · · Score: 3, Insightful

    SPAM is like popups. The one day you find a solution to stop it, the next day they find a new solution to send it. It's a never ending cycle get used to it.

    1. Re:This will never end by The+Cookie+Monster · · Score: 3, Insightful
      No it's not.
      No other medium has this problem (not in my country anyway)
      • The telephone does not have a spam problem.
      • My instant messanger does not have a spam problem (it used to but they fixed it).
      • SMS does not have a spam problem.
      • My postal mailbox does not have a spam problem - "No circulars".
      • The fax does not have a spam problem.
      email is the only communications medium that has a spam problem, you are suggesting there is something magical about email that makes email and spam a law of nature.

      The only thing special about email is it uses a protocol that was designed with different goals to what is needed now (ie security) and switching is hard, so hard that instead we cop out and just bolt more shit onto SMTP.

      A secure protocol with existing anti-spam technology in combination with legislation (which mostly exists already) is all that's required.

      Hopefully Microsoft (Hotmail+Outlook+OE) will one day join Yahoo and a few others and together they'll have enough momentum to make the jump to a protocol designed for todays environment. Then SMTP email will go the way of usenet - ie you can still use it if you like, but most people won't have a clue what it is.

      If the jump isn't made then email will become less and less useful until it is entirely replaced in our lives by a better (and spam free) communications medium. I'm guessing this will be instant messaging (we already use it more than email), and if I had to put money on the future I'd say the gradual death of email and its replacement by another medium is more likely than actually seeing people stop kicking a dead SMTP uphill and adopting a secure protocol.
  13. Fix SMTP! by schnarff · · Score: 4, Interesting

    Well, at the risk of sounding like a broken record, SMTP itself is the problem -- it's badly broken, security-wise, and needs to be fixed. It's going to be painful to move to a new mail standard, or to change SMTP so that it's not broken, but that's what needs to happen to stop spam. Thankfully, our friends the Russian Mafia and the ever-growing number of Windows zombie machines are making spam levels so great that, sometime soon, spam will represent such a large percentage of e-mail traffic that fixing SMTP will be necessary, not just something mail admins like myself wish for.

    BTW, does anybody have a good figure on what percentage of all e-mail spam represents these days? I'm talking about *all* traffic, too, not just what ends up in peoples' Inboxes after all the filtering going on out there has done its job.

    --
    How To Get Humans To Mars
  14. More details in Part 1 by fembots · · Score: 5, Informative

    The linked article is part 2, Part 1 is here.

    --
    Rock that crushes, Paper & Scissors that don't matter.
  15. Having experience, I can answer 1.2.1 by snakecoder · · Score: 5, Interesting

    I am not recommending mailblocks, I belive there is a sourceforge project called TMDA which does the same thing. Having said that, my experience comes from using mailblocks:

    -cr deadlock: This does not exist because when you e-mail someone in a challenge and response system, it automatically assumes they are friendly. So if they have a challenge and response system, it will make it into your inbox, because you e-mailed them first

    -automated systems He is correct here. Personally I hate when friends submit my e-mail to third parties without my consent so I do not mind missing these e-mails. I have caught a few while searching my pending folder, and inform my friends I rather have them e-mail me directly.

    -interpretation challenge I believe he is wrong here because of a fundamental issue. When dealing with spam filters, the onus of working out refinements is left to the spamee, to make sure they filter out all spam. If a spammer adds a new technique, they get around the filter. With challenge systems, you have a few methods waiting as backup. When a spammer finally figures out how to read your words through AI, you simply change the challenge system and they are back to square 1 in trying to figure out how to defeat. As long as you have a few methods waiting in the wings, the spammers can easily be defeated, and have huge amounts of work to do.
    if you doubt this, write an AI system to defeat hotmails gifs. Now what if the next day instead of showing a word, they show you a picture of 3 fire trucks and 2 police cars and ask you how many police cars are in the picture, etc ...

    --
    -Nuke the moon
    1. Re:Having experience, I can answer 1.2.1 by vanyel · · Score: 3, Interesting

      He's also wrong about using certificates:

      1. certs don't require a connection to the cert authority. You get their CA cert ahead of time and then trust certs signed by it.

      2. Responsible CA's won't grant certs to spammers because people will stop trusting their certs

      3. If spam does come in signed, then they are trackable and the backlash will quickly shut them down.

  16. I managed to appall a colleague today... by Ungrounded+Lightning · · Score: 4, Interesting

    Was out to lunch with three colleagues today and the subject of anti-spam measures came up.

    I managed to appall the one from Berkeley by suggesting that the most practical solution was probably a moderate-size bomb.

    B-)

    But seriously:

    In an arms race, weapons eventually defeat armor. Spam will continue until two real-world things are BOTH brought to bear on spammers:

    - Economics
    - Muscle

    If a governmental solution applying both is not forthcoming soon, I predict that there WILL be vigilantism.

    In fact we're already seeing it.

    For instance: Subscribing the Detroit area spammer and his lawyer to enough real-world junkmail lists to bury his bills and other US Main correspondence in several daily truckloads of catalogues and other solicitations.

    Soon to come: Retaliatory information-war software directed at DDoSer / spammer zombi-net machines. (As discussed in a recent Slashdot article.)

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  17. dont forget ... by segment · · Score: 3, Interesting

    I don't bother getting too deep into downloading too many 'new improved!...' filters. I block entire damn countries/netblocks. Besides I don't know anyone in korea, brazil, china, nor any other one of the massive spamming countries. I configure postfix to filter out a lot and the minute I receive one spammed message, I always whois -h whois.apnic/arin/ripe/lacnic offender and block their entire range. I also have spam assassin running and I have to admit I get about maybe... maybe... 4 spams a week not kidding. Again though this is my personal machine.

    block return-icmp (8) in proto tcp from 24.76.0.0/14 to any port = 25
    block return-icmp (3) in proto tcp from 81.208.64.0/18 to any port = 25
    block return-icmp (4) in proto tcp from 163.121.163.0/22 to any port = 25
    block return-icmp (4) in proto tcp from 82.77.83.0/24 to any port = 25
    block return-icmp (4) in proto tcp from 61.247.224.0/19 to any port = 25
    block return-icmp (4) in proto tcp from 217.132.0.0/17 to any port = 25
    block return-icmp (4) in proto tcp from 62.103.204.32/27 to any port = 25
    block return-icmp (4) in proto tcp from 210.111.224.0/17 to any port = 25
    block return-icmp (4) in proto tcp from 144.135.0.0/8 to any port = 25
    block return-icmp (4) in proto tcp from 195.166.224.0/18 to any port = 25
    block return-icmp (4) in proto tcp from 61.228.0.0/8 to any port = 25
    block return-icmp (4) in proto tcp from 207.144.229.0/24 to any port = 25
    block return-icmp (4) in proto tcp from 193.252.22.160/28 to any port = 25
    block return-icmp (4) in proto tcp from 200.0.0.0/8 to any port = 25
    block return-icmp (4) in proto tcp from 209.202.192.0/18 to any port = 25
    block return-icmp (4) in proto tcp from 83.32.0.0/8 to any port = 25
    block return-icmp (4) in proto tcp from 68.38.64.0/8 to any port = 25
    block return-icmp (4) in proto tcp from 219.240.0.0/10 to any port = 25
    block return-icmp (4) in proto tcp from 195.57.218.0/25 to any port = 25
    block return-icmp (4) in proto tcp from 129.79.245.98 to any port = 25
    block return-icmp (4) in proto tcp from 24.150.0.0/19 to any port = 25
    block return-icmp (4) in proto tcp from 24.205.28.0/21 to any port = 25
    block return-icmp (4) in proto tcp from 220.116.0.0/8 to any port = 25
    block return-icmp (4) in proto tcp from 200.128.0.0/9 to any port = 25
    block return-icmp (4) in proto tcp from 212.81.64.0/17 to any port = 25
    block return-icmp (4) in proto tcp from 32.10.58.0/19 to any port = 25
    block return-icmp (4) in proto tcp from 210.183.110.0/20 to any port = 25
    block return-icmp (4) in proto tcp from 134.196.0.0/16 to any port = 25
    block return-icmp (4) in proto tcp from 24.60.88.0/23 to any port = 25
    block return-icmp (3) in proto tcp from 24.190.8.0/24 to any port = 25
    block return-icmp (2) in proto tcp from 24.98.77.0/23 to any port = 25
    block return-icmp (2) in proto tcp from 24.173.29.0/23 to any port = 25
    block return-icmp (2) in proto tcp from 205.206.176.0/23 to any port = 25
    block return-icmp (2) in proto tcp from 172.128.0.0/10 to any port = 25
    block return-icmp (2) in proto tcp from 200.171.99.0/24 to any port = 25
    block return-icmp (2) in proto tcp from 200.171.97.0/22 to any port = 25
    block return-icmp (2) in proto udp from 200.171.97.0/22 to any port = 25
    block return-icmp (2) in proto tcp from 68.62.80.128/25 to any port = 25
    block return-icmp (2) in proto udp from 68.62.80.128/25 to any port = 25
    block return-icmp (2) in proto tcp from 218.76.0.0/17 to any port = 25
    block return-icmp (2) in proto udp from 218.76.0.0/17 to any port = 25

    --
    MoFscker
  18. Maintenace the problem by powerpuffgirls · · Score: 4, Interesting

    As stated in the article's summary, the main problem with most spam-filter is the need for constant maintenance. We need a solution that requires ZERO maintenance by the joe-users, and yet cost-effective enough to implement.

    My ISP seems to have a so-called "Watch Dog" spam filter, where they actually hire people to read spams and filter them manually, that's probably the most effective way to filter spam, but I wonder if it is cost-effective though.

  19. Do not call ... by Ephboy · · Score: 5, Interesting

    Prior to this October, telemarketing calls were a national scourge. Amazingly, since we signed up for the Do-Not-Call list, we've only received 2 illegal calls. I'm rather surprised, in fact, at the relatively uniform acquiescing to this law. While spam, coming from all corners of the earth and is more anonymous, will be harder to enforce, some law with real teeth may be a good start.

  20. Reputations by grotgrot · · Score: 4, Interesting

    The only thing that will work in the end is some sort of distributed reputation management system. To a certain extent that is what RBLs do, except they are on or off. SpamAssassin does offer shades of grey to the RBLs (differening weights to each one).

    To a certain extent this is what we already do in real life. We 'judge a book by its cover' as a first pass (for example people will often walk past a beggar in the street completely ignoring them) and then include other factors. How polite they appear, where they are from, recommendations from friends etc

    All other mechanisms suffer from a determined spammer being able to get around them as the article pointed out. Any mechanism that prevents some spammers makes things more lucrative for the rest.

    1. Re:Reputations by leviramsey · · Score: 4, Interesting

      I just devised a setup that might be interesting:

      • Users (sysadmins) of the blacklist submit two lists of IPs, good (non-spammers) or bad (spammers).
      • When a server receives a mail, it checks with the list to see on which lists the IP appears as good and on which it appears as bad.
      • The user marks the mail as ham or as spam. A Bayesian algorithm then determines which lists are trustworthy for marking spam hosts.
      • Filters could then /dev/null mail based on this bayesian score

      The idea is essentially to allow a collaboratively developed decentralized blacklist and whitelist to develop. Spammers will either submit the IPs they use to this list or not submit them; if they do submit them, then a "good" report from them will eventually be taken as a strong sign of spamminess. If they don't, then nothing happens, but presumably "trustworthy" blacklists would list them.

      Thus, a user in Brazil, where they would be receiving lots of legit mail from Brazilian IPs would not find a blacklist that listed all of LACNIC to be a strong indicator of spamminess. The effects of blacklisters who maliciously put enemies into their blacklist would also be reduced, if not eliminated.

      A suggested implementation detail on the blocking would be to make it random; that is to say that 100% of the mail with a 100% probability of being spam gets dropped, 99% of mail with a 99% probability gets dropped, 97% of mail with a 98% probability gets dropped, 94% of mail with a 97% probability gets dropped, 90% of mail with a 96% probability gets dropped, etc. according to this function:

      d(p) = d(p+1)*p/100, where d(100) = 100, and 73<=p<=100

      This would allow for a degree of "retraining" in the event of false positives (since a /dev/null'd mail cannot be retrained from!).

  21. Another partial solution by PapayaSF · · Score: 3, Insightful

    1) Tap the Slashdot and creative communities to produce a series of anti-spam TV/radio/print ads on the theme of "Spammers are Scammers." Smear all spammers as scam artists who sell fake merchandise and steal credit cards, and their customers as stupid losers.
    2) Get media outlets to run them for free as public service ads.

    Yes, I know this isn't a 100% solution. However, it is relatively low cost, and requires no new laws, software upgrades, or Internet standards.

    --
    Q: What does the "B." in Benoit B. Mandelbrot stand for? A: Benoit B. Mandelbrot
  22. Dueling Challenges by The+Monster · · Score: 3, Insightful
    I just copied that challenge into IrfanView and had it reduce the number of colors to 2. It came out quite readable, which suggests that OCR would be able to take it from there nicely. I bet someone could throw together some Script Fu for the GIMP to convert those pictures to text with a reasonable accuracy rate. Bear in mind that the technique doesn't have to be anywhere near 100% accurate to be worth the effort for the spammer, who already has a business model based on a fraction of a percent of his emails actually generating a response.

    What I take issue with is this paragraph from the article:

    CR deadlock. Alice tells Bill to email her friend Charlie. Bill sends an email to Charlie. Charlie's CR system intercepts the email and sends a challenge to Bill. Unfortunately, Bill's CR system intercepts Charlie's challenge and issues its own challenge. Since neither user actually receives the challenge, neither user will receive the email. And since the emails are unsolicited and unexpected, neither user knows to look for the pending challenge. In essence, if two people both use CR systems, then they will not be able to communicate with each other.
    This is leaving out a key feature of any decent challenge system... When Bill tries to send an email to Charlie in the first place, Charlie's email address is automatically added to Bill's whitelist. So Charlie's challenge, showing his address as its source, flies straight to Bill's Inbox without a hitch. If Bill were so arrogant as to think he could send email to someone not on his whitelist, then he deserves not to have his email go through.
    --

    [100% ISO 646 Compliant]
    SVM, ERGO MONSTRO.

    1. Re:Dueling Challenges by RollingThunder · · Score: 4, Insightful

      Not so much that it would come from Charlie, but that the C/R would have an In-Reply-To that referenced the unique Message-ID of Bill's mail.

      When the mail goes out, Bill's system would record the Message-ID (and probably the recipient, but that could screw up on forwarders if you try for a hard match on the two) and then allow Charlie's C/R because it matches the whitelist.

    2. Re:Dueling Challenges by Tony-A · · Score: 3, Insightful

      Charlie's email address is automatically added to Bill's whitelist. So Charlie's challenge, showing his address as its source, flies straight to Bill's Inbox without a hitch.

      Now all I need to do is know or guess anything on your whitelist (or have some means to automatically add something to your whitelist;).

      Methinks all a CR system would do is add hassle to legitimate traffic and give the spammers an even easier time of it.

  23. Of course there is by Sycraft-fu · · Score: 4, Informative

    There are plenty of tasks that you can do that computers find nearly impossible. Facial recognition is a good one. Humans do it easily all the time. Computers are trying, but still screw it up badly. Musical recognition is another one. A human can easily pick out individual instruments in a peice, and can tell that the song is the same even if it is a complete different orchestration and mix (like a remix for example). Computers are confounded by this, even when they break something into component sine waves. Pragmatic language interpreatation is my favourite. Even when people speak non literally and indirectly, you still have no trouble with their meaning. You can also tell which level of meaning they want, and successfully decode the other levels if asked. Computers are lucky if they can get the literal direct meaning out of a sentence, never mind anything else.

    So, just because a human can do it, doesn't mean a computer can. I don't know about any of these image schemes, I've never played with it. However if you make it sufficiently hard for it to recognise characters form background, and one character form another, it's screwed. Computers have trouble with fuzzy and incomplete information that humans are so good with.

    Also remember it needs to be feasable to do in a reasonable time. Maybe you develop some whiz-bang image recog program that can take amazingly distorted text and figure it out. If it takes 5 minutes to process a box, it does you no good anyways, too much time to be worth it for this use.

    1. Re:Of course there is by whereiswaldo · · Score: 3, Insightful

      Maybe you develop some whiz-bang image recog program that can take amazingly distorted text and figure it out. If it takes 5 minutes to process a box, it does you no good anyways, too much time to be worth it for this use.

      Not really. Since spammers are now into the illegal business of commandeering people's computers using viruses and trojans, it would be an easy step to have them process distorted images and feed the results back to some web site.

      It wouldn't even take that many computers to send a lot of spam out even at 5 minutes per. Say you want to send 1 million emails. 1,000,000 / 5 minutes = 138 days. If you have 138 computers, you can send out 1 million spams per day.

  24. most effective by mabu · · Score: 5, Insightful

    Make no mistake...

    The most effective spam solution at this time is RBL blacklisting. Bottom line.

    When you take into account that the biggest problem of spamming is bandwidth consumption and network resources, there is NO better way than blacklisting spam sources and refusing to communicate with them.

    Services like Spamcop's RBL really piss off the spammers. All client-side filtering is counterproductive and ultimately useless as you constantly have to update the systems to catch new efforts on the part of spammers to thwart the filters. At least with RBLs, the spammers' connections are immediately refused as soon as they're ID'd.

    If you want to identify what is the most effective solutions, it's simple. Look at what pisses off the sleazebag spam community the most. That's relay blacklisting. They don't DDOS the moronic client-side filtering companies because the spammers know they're useless, and even if they're not, the spammers can't tell. What hurts them are when systems say, 'screw you spammer, (click)' and that's done via relay blacklisting.

    Why are spammers increasingly changing mail relays and pursuing open proxies? Because of RBLs. Even AOL uses RBLs (including Spamcop). All the major ISPs look at the RBLs because they are THE most effective way of stopping spam. And they're the only way to actually shut down the spammers.

    Forget client or server-side content-based filtering. They will NEVER work. RBLs are responsible for forcing spammers into corners of IP space, forcing them to deploy worms and viruses to infiltrate new IP space (which exposes them to more prosecution). RBLs ** WORK ** !

    1. Re:most effective by mabu · · Score: 3, Insightful

      Amen.

      Shaw is a spam haven.

      Comcast is a spam haven.

      Virtually all IP space in Korea.

      When you start doing IPLOOKUPs of the spammers you begin to see a pattern of which ISPs don't have their shit together.

      Why did Comcast start cracking down on spammers? It was probably because admins like us stopped accepting mail from their business customers because they were embedded in the DSL IP space that spammers have compromised. Do you think Comcast gives a damn about spamming? No. But if you start making their IP space unuseable by legit companies, then their buttom line is hit.

      Blacklisting WORKS. Unless you run your own mail server, your opinion doesn't matter. Run your own server, deal with these sleazebags every single day, bombarding your systems with their crap, then talk to me about BS client-side filtering.

    2. Re:most effective by Tripster · · Score: 3, Informative

      Here ya go, this will help you keep out Shaw's residential customers ...

      24.64.0.0/13
      24.76.0.0/14
      24.80.0.0/13
      24.108 .0.0/16
      24.109.0.0/18
      24.109.64.0/19
      68.144.0.0 /13

      Those ranges are safe to block, they have other ranges for the static business clients.

      Of course another simply step the ISP can take is to block outgoing SMTP entirely for those ranges except to their own mail servers.

    3. Re:most effective by Ragica · · Score: 4, Informative
      Some would say RBLs work "too well". They have a fairly consistant history of accidentally abusing innocent parties. Is it the price to be paid for the overall protection? Depends on your point of view.

      We don't have that many clients using our mail server, but one noticed one day that mail to him to friends was bouncing. He reported this and we discovered that we were on SpamCop's RBL list.

      I did a quick audit of the mail server, fearing we'd been highjacked, but found no evidence anywhere of spam going out.

      Being generally sympathetic to RBLs I was eagre to get to the bottom of this, and cooporate with whatever needed to be done to prove our innocence.

      But i found the SpamCop web site to be extremely frustrating to find any information. I found some references stating that to refute being listed you must reply to the email that SpamCop sent you: I searched and searched but we recieved no mail from spamcop.

      As I spent a precious day trying to figure out what to do, as mysteriously as we'd been listed, our IP disappeared from spamcop's list.

      To this day I don't know what happened; but have a somewhat more bitter taste in my mouth regarding the arbitrary power of RBLs.

      (Though I still tend to more blame the system which blindly obeys a single RBL: I think SpamAssassin is more democratic in that it only assigns a probability, and an IP has to be on multiple block lists before it goes over a threshold. This gives spammers more lead time before they are blocked, but also prevents any single RBL from weilding absolute power... a sort of check-and-balance.)

  25. SPF Anyone? by ignoramus · · Score: 3, Interesting

    One proposed solution I would love to see getting more attention is SPF ("Sender Policy Framework"), which allows each domain admin to specify their email sending policy using existing infrastructure.

    See the SPF site or read this month's Linux Journal to find out more.

    Executive summary of SPF: Just use DNS to specify where mail from your domain may originate from. If everyone used this, we could have domain blacklists that actually work.

    Do an "nslookup -type=txt psychogenic.com" to see an example entry. And if you manage any domains, please consider doing the same.

  26. challenge-response handling being outsourced by SuperBanana · · Score: 3, Interesting
    I did hear of a theory where C/R was being cracked by taking the C/R image, posting to a porn session, and letting a seeing person do the work.

    I had a chat with a Veep that was hired on to a company I used to work at. Very down to earth guy, very friendly. We got to talking about spams and semi-legitimate emailings to customers, etc.

    He had one very interesting tidbit; stick with me for a sec here. Most companies outsource their semi-legit stuff because they get reported as spammers and whatnot, or it bogs down their email server/network, etc. No surprise there- however, the interesting tidbit is that the outsourcing companies turn around and outsource to Indian firms for handling the bounces. There's literally a room full of people in India, sitting there answering those challenge/responses and updating the client's customer email list(unlike spammers, it really is in their best interests to minimize failed deliveries). It sounds "expensive", but it's not, considering how few people use challenge/response systems. Further- a reasonably smart human can get familiar with all the various systems quickly(an hour or two, I'd guess, tops) and probably process close to a message every few seconds with a client program set up to do that limited functionality smoothly. Best part- if your client does several mailings, unless the recipient goes in and removes you, you're clear for future emailings.

    --
    Please help metamoderate.
  27. Re:Not for all, but a good start.. by mabu · · Score: 4, Insightful

    From spoofing verification won't make a difference... it'll slow down mail services and won't make a dent in spam.

    Spammers are now rotating IP space all over the place... they're also beginning to NOT forge header information, so what are you left with?

    Recognizing rogue relays and blacklisting them, even if they have valid header information. Any improvement to SMTP protocol won't make a bit of difference.

    Most mail servers and large ISPs are already employing additional methods of header-verification. It hasn't stopped spam.

    RBLs ARE working. They're making spammers scramble for un-blacklisted IP space. That's why they're running overseas; that's why they're sending out worms and viruses. Lord help us if IPv6 gets introduced... we'll never be able to stop spam then.

  28. Interview with a spammer by dbIII · · Score: 3, Interesting
    The truth is 90% of spam comes from open relays, that is SMTP servers that can be tricked
    A couple of years ago I didn't have a job - and a government sponsored job database came up with a listing for a job using computers in the "adult" industry. I went along to an the job interview, and found the job would have been setting up a dozen modems on a linux box and writing a program to scan for open relays (he'd apparently paid US$10,000 for a list). All income would have been undeclared, and some dodgy accounting involving payroll in the name of tourists would have gone on. Some background checks on the employer turned up a few interesting things as well as birthplace, education, home address etc. It looked like a may have had a choice between becoming a spammer and never getting paid for it, or losing my unemployment benefits (the consequence of turning down a job offer in my country). Another, actual legitimate job came up for a dying dot-com, so I never had to argue with beuracrats as to why I had turned down a job.

    Oddly enough the spammers name was "Fagin", as in the Oliver Twist villain, and he was born with that name.

  29. SPAMfighter works for me... by Alex_Ionescu · · Score: 3, Interesting

    The big problem with mail filters, as the article mentions, is that they need to be updated when new spam technologies appear... and there's also a lot of false positives... I gave SPAMfighter a try (from www.spamfighter.com) and although it was a bit worse at finding spam (At first), I never got any false positives. The way it works is that the "filters" are actually some kind of hash that users submit whenever they block or unblock an email (it analyses the whole content I think, not just the text). So if a new type of spam technique appears, the users will just block it. And unlike many other client-side plugins, it actually works on Outlook Express.

    Another one I recomment is Spambayes...but there's the problem with false positives. All the other ones I've tried are utter crap.

    Best regards,
    Alex Ionescu
    Relsoft Technologies

  30. Comment removed by account_deleted · · Score: 3, Insightful

    Comment removed based on user account deletion

  31. CR deadlock by Skim123 · · Score: 3, Interesting
    Another deadlock case, which happened too many times in my experiences with C/R:

    • Alice sends a message to Bob. Alice is not in Bob's whitelist, so Bob's C/R anti-spam system sends a challenge to Alice.
    • Alice doesn't use C/R, but rather a filter. Her filter, unfortunately, marks Bob's challenge as spam. Since Alice is only a computer novice, she does not know how to check his Junk Email folder, and therefore never receives Bob's challenge, hence Bob never gets Alice's email. Alice, who is blissfully ignorant of the "behind-the-scenes" happenings, thinks Bob just is trying to ignore her. So she sends another email, which is, of course, not received by Bob. And she sends another. Still, no response from Bob. Alice takes it personally and decides if she does ever hear from Bob again she won't be going on a second date with him no matter what.
    --

    I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.

  32. The spammers weak spot is the money he makes. by sbaker · · Score: 4, Insightful

    I think we are attacking Spam from the wrong direction. Attempting to stem the flood of incoming spam is tough - everything about the identity of the incoming spam can be faked. However, we could alternatively attempt to prevent the replies going back the other way.

    There are two inevitable facts:

    1) In order for spamming to be worth someone's effort, they have to somehow get money from people. If NOBODY replied to them, then spamming would stop overnight.

    2) Something in the content of the Spam must be real - a reply address - a web site, a phone number or something. Block traffic to that location and the spammer gets no money and dies.

    Hence, I think they may be vulnerable. Educating people not to reply to SPAM would help - it only takes a mere handful of people to respond to a SPAM to make it profitable - but if education could drop that handful to a mere one or two - then we could succeed in putting more spammers out of business simply by cutting their margins to the point where it wasn't worth the hassle.

    Where are the TV adverts: "Replying to Spam is Bad!"....we know that the morons who reply to spam are suckers for advertising - they are as likely to believe a well targetted TV advert as a crappy email shot. If Spam is costing the ISP's as much as they say it does - then funding some TV ads might not be impossible.

    What if we made it illegal to respond to an emailed advertisement that was not clearly labelled as such, that would help to deter people from responding. Such a law would be next to impossible to enforce - but we are trying to deter the gullible here - so it might not have to be enforcable - just very well advertised.

    Since every SPAM has to either advertise a product that you can buy from somewhere - or direct you to a postal address, a phone number or a web site - then that route for getting money back to the spammer could be blocked.

    The return route has to be genuine. There is no point in them sending you a fake phone number or faked web address. If the phone companies (who are often also ISP's - or have at least some cause to want to kill spam) were to block calls to and from phone numbers that were seen in Spam - then the reverse route for the money would be curtailed. Whilst you can afford to change the aparrent source of your spam and fake those addresses for each new mail shot, you can't change your phone number for every couple of dozen orders you take. Similar considerations apply to web sites and postal addresses.

    If it was required for credit card companies not to transfer money to businesses that employed spammers to push their goods - then that would also help some.

    It wouldn't take many people to deliberately reply to spammers - to lead them on into thinking you want their product - to send them fake cheques or bogus credit card numbers. If they only get a handful of positive responses per million spams - then it wouldn't take more than a few determined people per million (eg ISP employees) to clutter up the the spammer's cash collection mechanism to the point where it's too much hassle for him to sort out the real orders from the bogus ones.

    I don't pretend to have all of the answers - but there seems to be far too little creative thinking along these lines.

    --
    www.sjbaker.org
    1. Re:The spammers weak spot is the money he makes. by sbaker · · Score: 3, Insightful

      1. Most spammers use faked email address, they DO NOT suppose you to answer them. They want you to click the link, they want you to buy something, they want to install some spyware, adware or what-so-ever-ware on your computer!
      I agree that the email address they give is likely to be faked - but my point is that in order to make money, SOMETHING in that post has to be real. If not the email address then the postal address, phone number, web site, etc.



      2. Who can block the phone call to a certain number, who can block everyone's access to a certain website, and who can block a real physical position (address)?
      The government could pass laws requiring phone companies, ISP's and the US mail to block traffic to people who have been logged as advertising illegally via email. It would require an efficient method to collect these addresses and automation to do the banning - but that's within the bounds of technical possibility.


      A spammer can change his email address for every spam he sends - but he can't change his web site that often - and he certainly can't keep changing his phone number, physical address or bank account. I read somewhere that 90% of spam comes from just 600 people. It can't be that hard to block the money going back to those 600 people.



      Spammers make profit in the hope that 0.000001% of the receivers would click the link, make a phone call, or write a snailmail to that address.
      Yes - exactly. But if you can add a couple of zeroes to that 0.0000001% then it won't be worth their while. If every million email spamshot nets them 50 orders (a number I read somewhere as typical) - then they can make just a couple of bucks on each order and they have earned $100 for the time it took to type a single Spam and to run their system to send it. That's good money.


      However, if you can get the numbers down to where they have to send several different mailshots to get even one order - then it starts to look like a pretty unprofitable business model and they'll stop doing it.



      It seems that you don't understand how spamming works. This is a social problem, and cannot simply be "blocked".
      I think I do understand how it works. I absolutely agree that blocking the spam isn't the answer - and that's my entire point. Removing the spammer's motive for sending the spam in the first place is the only answer IMHO.

      --
      www.sjbaker.org
  33. Yes, of course... by michaeltoe · · Score: 4, Insightful
    This is similar to the argument that a computer cannot determine when it's in an infinite loop. Humans, however, can... because they are impatient, and given time, will reexamine the code that is executing.

    Naturally we may be inclined to believe that this grants us superiority to the computer. That, while stating some arbitrary facts taken from some textbook somewhere, a computer can never accomplish X objective.

    Therein lies the fallacy. The computer does not identify that it is in an infinite loop, nor can it, because it is not given the benefit of looking at the actual code. If a compiler were designed to read into code for things like while(true) loops, which naturally could result in infinite loops, then already you would be cutting back on the instances of these problems.

    Determining if there is an infinite loop requires a conscious understanding of the code itself, which is no trivial matter. It is not, however, something that could be deemed impossible.

    As with all fields of science, there will be those who say "Well, I haven't seen it yet, so it will never happen"... but skeptics are everywhere, and the presence of skepticism is hardly a measure of credibility... rather, a measure of how pious certain peoples assumptions are.

    Solutions are always found in math, and never in magic. Don't underestimate the computer, and more importantly, don't underestimate your own brain. You don't perceive things the way you do 'just because'... and that's what's so exciting.

  34. Is this really an expert view? by Tamor · · Score: 3, Insightful

    When I took a look at the first of these two articles which examines end-user anti-spam solutions I had to wonder if the writer had actually tried any of the technology or was relying purely on hearsay. For example:

    Spam senders and their bulk-mailing applications are not static -- they rapidly adapt around filters. For example, to counter word lists, spam senders randomize the spelling of words ("viagra", "V1agra", "\/iaagra"). Hash-busters (sequences of random characters that differ in each email) were created for bypassing hash filters. And the currently popular Bayesian filters are being bypassed by the inclusion of random words and sentences. Most spam filters are only effective for a few weeks at best

    This is the view of someone who clearly has no experience at all with a high-quality Bayesian classifier like POPFile. I've been using this program for almost a year and it most certainly has not been defeated by random words or spelling. Many of the tokens that trip email as being spam are actually unusual items in the headers or sales terminology. After a very brief training period POPFile has continued to provide me with excellent protection from spam and malicious email, with only a few false negatives to retrain on.

    If that's not a good end-user anti-spam solution then I don't know what is.

  35. Sorry Won't Work by Battle_Ratt · · Score: 3, Insightful

    Two words, Joe job.

    Any one of these "solutions" can be exploited to hurt legitimate business. Simply send out a spam campaign on behalf of XYZ company with legitimate credentials, and watch the chaos and disaster at the company as phone lines are cut, merchant accounts cancelled, etc.

    Spammers have already done all sorts of illegal activity to continue their frauds, what's one more to cut the knees out on the competition, or the competition of their customers.