Slashdot Mirror
Hidden Messages in Spam
randomwalker writes "There was an extremely interesting presentation at the Blackhat Windows Security Conference in January by Dr Curtis Kret entitled Nobody's Anonymous.
In his presentation he showed how information about spammers can be determined. In addition he showed that some spam is being used as a covert communication channel. This presentation demonstrates how to apply data forensics to spam in order to identify the sender of specific spam messages. Some senders can be identified by name, while others can be distinguished by attributes such as preferences, nationality, religion, and even left-handedness. Four spam categories are provided that classify spam by function, including List Makers, Scams, and Covert Communication channels. The examples provided include full-disclosure case studies: a phishing gang that targets bank customers with malware and impersonations, and an IRC group that uses spam as a covert communication channel."
If you can analyze someones caracteristics then you could emulate them so to put the blame on the wrong person.
All technology have good and bad uses
Oh, and Tin Foil Hats are useless - you must use my special patented Irradiated Tin Foil to keep the new mind control machines out.
Kinetic stupidity has a new brand leader: Allen Zadr.
One of the best methods of not having your communications snooped in on is to use a busy, noisy channel. Communications inside of malls, clubs, whatever. It makes perfect sense. People don't expect sensitive information in soe sort of public form, so they don't listen for it. We're all so sick of spam that we erase it on sight - so if someone wants to use it to communicate - its perfect. It draws a hell of a lot less attention to ones self rather than forming a whole new covert form of communication.
What looks more suspicious - A spam with some seemingly random keywords to throw off the filters at the bottom, or a highly encrypted data transmission on an obscure port. I know what one would make me take notice first.
it would also be impossible to tell who the books were intended to (and therefore the US Mil could contact spies who could be in a tight spot, or informants who may be in a tight spot). The books could also contain a bunch of different messages using different cryptographies, in plain sight, to communicate with multiple agents.
:) IRL, however, it would be difficult to use something like this for communication.
:)
Three Days of the Condor is an excellent movie with this very same premise.
If, as you say, some Three-Letter-Agency wanted to get a message to a spy "in a tight spot" they would hardly have time to wait for a conventional printing press to run off a mass-market publication. "Tight spots" need to be resolved in days (if not hours), and to send a message through a printing press can take weeks or sometimes a month to run an edition, bind it and ship it to all corners of the earth.
So I doubt anyone's using this technique with dead-tree publications
Yeah, and the nature of spam makes steganography EASY. Exactly which mis-spelling is used for a word could encode several bits. Those HTML comments used to obscure could hide entire words, in both content and placement. So could the lists of nonsense words used to defeat SPAM filters.
Maybe, but this might actually mean that the authorities will start putting some actual resources into finding SPAM outlets and shutting them down.
I doubt it. I think spam is too big of a money maker for "legitimate" businesses at this point; ISPs, banks, and of course a Slashdot favorite, marketing departments all are making a buck off of spam.
And don't think the possibility of using it for bad-guy communications will help; they'll just use it to limit freedoms, not actually remove the real problems.
In fact, when I first saw these random word lists the first thing I thought of was hidden communication, NOT defeating filters...
Btw, Usenet also makes a great medium for this since it's possibly even harder to discover the intended recipient (especially when you encode the message in some pictures posted to an alt.binaries.erotica group...).
I applied this method to the lastest 100 spam mail and got the following results:
44.3% of the spammers want to get me rich, too.
32.2% want to enlarge my penis
Unbelievable! I never knew you could get 0.1% precision by analyzing a mere 100 discrete samples of email. Or does the 33rd spammer want to enlarge only 20% of your penis? Or is he only 20% sure that he wants to enlarge your entire penis?
Time flies like an arrow. Fruit flies like a banana.
> Great, now, if we can just prove it's being used by Al Qaeda to help
:)
> the Jihad we may finally get some political support for getting rid
> of spammers!
I know your post was modded funny, but it really isn't. But you aren't being paranoid enough.
Broadcasting to agents in the field is not a new idea, using UCE/SPAM is just teh latest example.
In WWII the BBC embedded messages in their newscasts. Of course in the current political environment over there they would be more likely to be embeding messages for Al Qaeda.... but that is another rant....
Anyone who has ever listened to a shortwave for any length of time has probably heard a 'numbers' station, long thought to be broadcasts to agents in the field.
Now we see crazy text embedded in spam, often in segments of the message where it would never be seen by the target Outlook drone. Hell, the presence of 'invisible text' makes identifying and filtering it easier so why is it there? Spammers normally go to a lot of trouble to evade filters, the dead givaway is telling.
I have been observing a similar phenom on Uselessnet for a year or so. Seemingly meaningless streams of words or nonsense sentences spewed out onto usenet, with or without an actual attachment for the bianry groups. The ones WITH the attachments are the most interesting. Since most readers of binary groups are mechanical, a post that contains an on topic binary post wouldn't even flag as spam.
No, I'm really paranoid. I now think most spam is coming from intelligence agencies. Think about it, they setup a spamming operation and it at least breaks even or possibly generates actual revenue they can plow back into other covert operations Sure beats operating a shortwave station at a loss. And you know the CIA will be in the game, they are always good at adopting new technology.
So I'm sure they ARE going after the Al Qaeda spam operation, but you won't see it on TV, it will be Spy vs. Spy games. Hopefully more effective than Mad Magazine.
Democrat delenda est
Not that I would know from experience or anything...
But the gibberish at the bottom (or top or middle) of SPAM is intended to get it by Major Corporate SPAM Filters.
Apparently, the filters check to see if there are a lot of identical messages coming from one place / address. If there are, it starts bouncing them all.
The SPAMmer answer is to include changing gibberish in each message so they are no longer identical. Same goes for your subject lines:
Bi V!agrrra gfkl309dsj
The last piece changes for every message to make the subject unique.
Ah, the fun of the SPAM wars...
That's Mr. Coward to you!
Because it might not be you personally who decided to filter the word viagra. For example, if your using a hotmail or yahoo account, that word is going to make the mail more likley to be flagged as spam and go to your "bulk mail" folder (I would think). Similarly, you might have installed a third-party spam filter (or your isp or workplace might be using one) that looks for words like this. The fact that "viagra" mail isn't going to reach the enduser doesn't mean that he has personally decided to kill all mail to his account about viagra.
I'd rather be lucky than good.