Slashdot Mirror
Spam Gets Personal
Vitaly Friedman writes "Two researchers demonstrate how much more effective spam could become if its authors used basic data-mining to personalize their messages. From the article: "North America, though no longer the world leader in spam production, still has serious potted meat problems. A recent research paper out of the University of Calgary suggests that those problems could soon be a lot worse if spam creators adopt a few simple data-mining procedures.""
Thanks! just what I want spammers to know
Are they also hosting some pages on their site to help me make anthrax or a nuclear bomb? How about how to pick up under age girls.
Seriously; do the spammers NEED any more help?
Humor from a Genetically Molested Mind
Two researchers demonstrate how much more effective the AIDS virus could become if only a few basic modifications could be made to personalize the attack on the immune system.
I'm ready to give up on email because of the spam load. At this point I'm seeing mail servers with significant load simply for spamchecking, graylisting, and hanging up on bogus inbound connections. Face it, smtp doesn't work. It's a tragedy of the commons happening right in front of all of us.
We need something different that focuses on point to point authentication of hosts and users. Frankly, hardware DRM or immutable hostids build-on to motherboards might offer at least a host authentication solution. Not a popular suggestion, I know...
Don't be so hasty to attack their research. If you think about it, this isn't really any different from publishing a whitepaper showing how to break the DRM on a file, or how to phreak an old phone. No, this is not intended as flamebait, but it seems to me like any distinction drawn between those actions is based simply on the prevailing culture and attitudes at /. where breaking DRM = good, sending spam = bad.
Now I'm not trying to argue that we should have more spam, but the people at Sony would also not want to argue that we should have more DRM-cracking. It's simply a matter of perspective. And anyway, I'm sure the paper (no I didn't RTFA) was created to try to address the problem before it really shows up so it's not so bad rather than encouraging the noxious spamlords.
"Some might argue that publishing such research will only guarantee that the ideas are used by spammers, but the authors are convinced that such personalization will happen sooner or later anyway, and that it's better to be prepared for the inevitable than not to talk about it."
I don't know if I wholly agree with them, but at least give them credit for thinking that they can head the spammers off at the pass. Maybe they really think that an ounce of prevention is worth a pound of cure.
One thing to note, however... Once you start mining information from a Zombie (which -- to be honest has already been done), it makes it easier to identify the zombie and shut it down. (I.e. if I get a spam with information from mikie's machine, I'll immediately phone him and tell him to shut down and clean up his machine. Now mikeie's machine is unavailable to the spammers.)
I think that that is the real reason why zombie systems don't use data mining.... It's like an 'undercover' cop who fingers every low-level pusher-addict he runs into.... He'll never live long enough to get the information he wants on what goes on inside the biker gang's 'clubhouse'.
This is one of the things that I do... I wrote a filter that peels apart an email, removes the 'legitimate' IPs in the Received: headers collected en route, and attempts to send an email to the IP responsible for the source of the email. It usually takes them a while, but they will shut down the responsible zombie.
I stopped doing that for a couple of months, and my spam climbed to unbearable levels. I started using the script again a couple of days ago, and the spam I've been getting has already dropped noticably.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Fortunately for those who detest spam, the authors also present four new defenses that could help stop this newer, more personalized spam. First, e-mail archives can be encrypted, making it difficult for malware to mine them for information.
WOW - so I've got to accept that my computer IS broken into and encrypt even local data? Thank you very much - my computer would rather not be broken into.
Second, these archives can also be "salted" with false information such as spam trap addresses. Third, the authors suggest that all URLs followed from an e-mail client be viewed in a "sandboxed" browser that would prevent automatic downloads.
Sandboxed browser? Ok - they're joking. Who uses external content displaying in their mail? And anyone hasn't got a "HTML=+80% spam" rule in mail client yet, generated AUTOMATICALLY FROM EXAMPLES?
Finally, anti-spam filters can be adjusted to better screen for these types of attacks.
Care to elaborate?
Ok - this is all going in the wrong direction. Why shouldn't I trust *my system*? Why should I allow my incomming mail to use outside objects? I thought that people, who can build a natural-language-messages data mining / composing system can understand basics of home computer security...
Besides - if spam will mimic a friend's style and probably send mail as that friend - then you know exactly who to filter out and who needs billing for a "PC security" lessons
I can't speak for UKian snail mail, but here in the US critically important mail -- usually legal mail -- is sent return receipt requested. Meaning that someone has to sign for the mail, and if no one is available to sign one must go to the post office to sign and pick up the letter.
There is nothing analogous to that in email. Primarily because there is no mechanism to first ensure authenticity and then ensure delivery. A public-key cryptographic system that used hardware level keys (or key generation) could at least ensure authenticity point to point during envelope exchange. Knowing for certain exactly which host sent a message would mean being able to track down hosts sending spam. It would also mean being able to reject mail from specific hosts, rather than ever shifting IP addresses.
This is my own personal opinion, but I think e-mail has to go in the direction of EASY TO USE crypto based authentication. This technology already exists (pgp) and is used heavilly by the computer security industry. it would make a lot of sense IMHO if EVERY e-mail from my bank was cryptographically signed using the bank's private key. Websites are encrypted and authenticated using public/private key cryptography (SSL) why can't the same thing be done for e-mail?
If Microsoft, Apple, Ebay/Paypal, Verisign, a few banks etc... got together, agreed to a SINGLE existing standard, and implemented it in a transparent and easy to use way, it might go a long way to reducing spam. Citibank could say, "all e-mail we send is cryptographically signed by Citibank. If you get an e-mail that is not signed by Citibank, then it isn't from us." Obviously there are still USARS out there who wouldn't get it, but i think this would be a big step in the right direction.
(P.S. Yes I know a variety of e-mail programs implement various crypto stuff already, but as far as I can tell, almost no one uses it or knows how to use it.)
And yet, if you look at any posts about how Microsoft or Sony or whatever are trying to keep their software's flaws obscure so they don't get exploited, the Slashdot community generally rails on them like there's no tommorow. So hypocritical.
I thought people here were generally smart enough to know that security by obscurity doesn't work. Just because Joe Spammer doesn't care to tinker around to make his spam more devious doesn't mean Joe Hacker isn't gonna do it just for the hell of it and pass it along to Joe Spammer somehow.
I'm reminded of Mark Buller, the guy who improved the accidental enhancement mousepox into a 100% deadly disease even in mice vaccinated against it. A guy named Ramshaw was researching transmissable mouse contraceptives to deal with an overpopulation problem and spliced a gene for the immunosuppressant IL-4 into mousepox. Unfortunately, this led to the death of 60% of the test mice. Buller published research where he expanded on this idea by putting the IL-4 gene in a better spot and put in another gene to maximize production. This killed mice even treated with anti-viral drugs with a nearly 100% fatality rate.
Fortunately, however, Buller seems to have tried to make up for this a little by having come up with a counter-measure. This provides a hope for some people to live in case of genetically engineered smallpox, but I don't think that the kind of drugs required are even close to being common and inexpensive enough to help the public at large.
One of these days, I'm worried that unethical or thoughtless biologist are going to publish exploits for the human immune system, and one of these days technology is going to get cheap enough and ubiquitous enough for the biologist equivalent of a script kiddie to wage genocide. I'm worried that in the next century, we're going to get an object lesson in just how hard it is to "patch and update" our immune system.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
As far as the load on mail servers, there's plenty of middle ground between waiting for an RFC or capitulating to DRM to fix the SMTP problem. Mindshare is the only real obstacle between the way things are & a least-privelige mail system that uses strongly signed logins integrating a sender/receiver pair hash. Hell, I'd use & spread an alternative and experimental system like that, standards be damned. I mean, where's the W3C spec for onion routers and torrents, et. al?
Pi Ran Out