Slashdot Mirror
Microsoft Researchers on Stopping Spam
TheBackBencher writes "Scientific American today has a very interesting article about "Stopping
Spam" by Joshua
Goodman, David
Hackerman and Robert Rounthwaite from Microsoft Research. They talk about different types of spam -- spam with emails, spam on IMs, spamlinks
on web pages and image based spam. They mention different techniques for
spam filtering mainly fingerprinting matching techniques, n grams model,
naive bayesian approach, optical character recognition, challenge/response systems and Human Interacted Proofs (HIP) in a very lucid style. They however do not mention fingerprinting approach of using Nilsimsa Hash to
tackle addition of random words by spammers in emails or hypertextus interruptus technique used
by spammers of splitting words using HTML comments, pairs of zero width tags,
or bogus tags. Also, Spam-Research is reporting the
SplitFit
Technique that Spammers are using to fool Yahoo! Mail SpamGuard."
The ebay.com link showed up at the bottom of the browser, but was replaced with some kind of javascript mouseon event. This is probably not new.
Instead of random text to fool Bayesian filters, it had hidden recent news article summaries (bracketed by html comment tags) that would be similar to what you might post to a friend.
Spam filters will probably be upgraded to catch this soon, but it was the first time I had seen it. And of course as mentioned in the article, the ebay specifics where obfuscated by html tags between letters.
Letter To Iran
Maybe you didn't quite understand what I was talking about.
This would be completely done server side. Just like when you sent an e-mail to a host, and you get returned mail because you somehow typed in the address improperly. There would be no difference between that message and one that was sent to a user and then flagged as spam. It would be impossible to tell the difference if the user was a valid address or not.
Thats what I am getting at.
Also, Spam-Research is reporting the SplitFit Technique that Spammers are using to fool Yahoo! Mail SpamGuard."
How much credence should we put into an analysis from a guy who goes to the spammer's web site to unsubscribe?
I thought the name David Hackerman was a bit too good to be true, and it turns out it was. Following the link shows that his name is David Heckerman . Note to /. eds: please proofread your posts. It's not like they're very long...
Your unsubscribe is executed on a bot (a captured machine) which the bad guys can look at, the after taking precautions not to be observed, and harvest what they want from it. The good guys, if they capture the machine will just get your address (if it isnt encrypted by the bad guys) and a machine that is acting funny (if they dont know how to knock to get into the bot-ware) Since logging cannot be trusted on a compromised machine, what they need is a non-compromised machine beside the compromised one (on the same segment) to watch the traffic go in and out... a honeypot. That is a lot of hard work.
Between SpamAssassin, procmail, and MUA filtering rules, I rarely get to see spam anymore. The spam which does slip through is so absurd and surreal that it's more hilarious than annoying.
If everybody did this, the volume of spam would quickly dry up. Because when people don't see the spam, they can't respond to it, and when they don't respond to it, the spammer doesn't have a business.
Educate the people around you and help them reduce the spam that gets to their inbox. Don't support solutions which effectively render nodes at the network periphery to second-class status.
Legislate against spam. As long as spam is legal, or the penalties against it are too low, or it is too easy to do, people will continue to try and make a quick buck.
I don't see that helping. Legislate in what jurisdiction? In which countries can it be enforced? Note that one can simply lease servers in a country immune to such legislation, or outsource to a company in such a country.
Besides, FAX spam has been illegal for years, yet it continues to happen pretty constantly.
Also, force all ISP's to monitor how much bandwith a source has. If you get too much usage per day, say 200 megabytes or more, then that person has to explain why they need that much bandwith.
My DSL provider seems to have recently blocked port 25 outbound on me. Thanks to spammers I'm sure. So now I'm forced to use SBC's mail servers, or use a different port on my own servers.
Which is not fair at all. Neither would a bandwidth cap, when I'm paying for "unlimited" usage regardless of what port(s) the traffic may travel on.
Also, force all email to have some element which identifies the source. Not just a header that can be forged, but something that can't be hacked. And if a source can not be found, but it is selling a product an identifiable site, charge that site just as if they were the ones sending the spam.
I can deal with the first part of this: if everyone can agree on some authentication/validation standard, some verification can be good. As long as it doesn't cost the sending server operator anything other than the time taken to verify who they are.
The second part, though, won't fly. Forging the sender's address and/or IP is entirely too simple. And I've seend spam promoting a completely unaffiliated site, in the interest of getting a competing site shut down. In other words, send anonymous (forged headers) spam promoting your competitor, getting them shut down. Unless it can be proved beyond reasonable doubt that the company in question is in fact responsible for the spam, you can't convict or punish them...
NGWave - Fast Sound Editor for Windows
People don't send spam from their ISP's account.
Very true. They use a botnet.
They send it straight through their computer.
Not they don't. It's the easy to be on a RBL.
Now, you could put outbound filtering on port 25, and require everyone to send mail through the ISP's servers (with authenticated SMTP of some sort), though there will be some legitimate traffic surpressed if that happens...
The botnet is used to send just a few e-mails from each bot. Get an unfiltered inbox. Check the multiple copies of SPAM you get from diffrent senders. Check the headers. Identical SPAM arriving from many domains typicaly hit my inbox within a half hour of each other. This is the teltale sign of a botnet sending SPAM.
The truth shall set you free!
Now, you could put outbound filtering on port 25, and require everyone to send mail through the ISP's servers (with authenticated SMTP of some sort), though there will be some legitimate traffic surpressed if that happens...
Back in 1999 when I worked for a hosting provider, I hated that some ISPs were doing this. Having to explain to our users why exactly they couldn't use their own SMTP server (our servers) was a nightmare. It also sucked for me with my laptop; I could be home, where I had to use my ISPs server, or I could be at a hotel where I had to go change my settings to use my own (hosted) mail server.
But, I've come to the conclusion that disallowing outbound port 25 traffic isn't such a bad thing. A zombie'd machine on a DSL or cable connection can be dangerous, and can go undetected for months sending spam... and though it's a minor inconvenience to me (since SBC started doing this recently), if it stops some of the spam I receive then I'm all for it.
SBC seems to now require that I use their SMTP servers, but I can still specify my From:, Reply, and Return-Path addresses as I see fit -- so it really doesn't make a difference to me once it's been (re-)configured to use the appropriate SMTP server.
Personally I'm a fan of SMTP-Auth, which I believe most (all?) clients support these days... but that still doesn't prevent worms/trojans from sending spam through the configured outbound server if the login info is accessible...