Slashdot Mirror
Spam Gets Personal
Vitaly Friedman writes "Two researchers demonstrate how much more effective spam could become if its authors used basic data-mining to personalize their messages. From the article: "North America, though no longer the world leader in spam production, still has serious potted meat problems. A recent research paper out of the University of Calgary suggests that those problems could soon be a lot worse if spam creators adopt a few simple data-mining procedures.""
If this isnt personalized, what more can I expect? :)
http://it.slashdot.org/article.pl?sid=06/04/28/181 1210
And not very accurate the first time, either. Since Mom probably isn't going to be sending me v1agr4 ads, it will be easy to find and clean the infected machines.
Thanks! just what I want spammers to know
University of Calgary!!!!!!!!!
Are they also hosting some pages on their site to help me make anthrax or a nuclear bomb? How about how to pick up under age girls.
Seriously; do the spammers NEED any more help?
Humor from a Genetically Molested Mind
Two researchers demonstrate how much more effective the AIDS virus could become if only a few basic modifications could be made to personalize the attack on the immune system.
Th US most definately is the world leader in the production of spam
treat the disease not the symptoms
And while we are at it, lets publish a paper telling people how to do a better job money laundering, or new way to smuggle cocain into the country.
I'm lumping this article describing how spammers could be yet MORE annoying with the Fox News special reports in which Geraldo Rivera details how many people could be killed if "terrorists were to jump this 6 foot chain-link fence and put a couple buckets of toxins in this bay-area resvoir".
Thanks - hope those spammers/terrorists have TiVo and a notepad.
Scott Richter, are you getting all this?
I'm ready to give up on email because of the spam load. At this point I'm seeing mail servers with significant load simply for spamchecking, graylisting, and hanging up on bogus inbound connections. Face it, smtp doesn't work. It's a tragedy of the commons happening right in front of all of us.
We need something different that focuses on point to point authentication of hosts and users. Frankly, hardware DRM or immutable hostids build-on to motherboards might offer at least a host authentication solution. Not a popular suggestion, I know...
The reason they don't do this now is that the spammers doing it are not geeks. They're taking pre-built scripts, modifying some parameters, and letting them go. They will keep doing this until those scripts no longer work, and then they will move onto newer ones. The only was this will happen is if some hacker gets bored, reads this article, and desides there's a lot of cash to be made selling just such a thing to the spammers.
Be real -- no matter how personalized an email gets, I'm still going to know it's not from somebody I know, because I don't make email my primary mode of correspondence and where I do, I can easily figure out that my mother isn't going to be sending me ads for Viagra.
Now, if they could make a Turing-capable spam generator, I'd be impressed.
GetOuttaMySpace - The Anti-Social Network
How else would they know my p3n1z i5 5m@LL?
"It's a wonderful idea. But it doesn't work." -- Tad Danielewski
fantastic. you've now told spammers how to defeat basically every statistical spam filter. now i get to attempt to teach the generally tech-clueless people in my life about pgp or equivalent so that i can automatically block all non-signed email. except i can't, because there are no online vendors / banking services / etc. that sign their outbound email, to the best of my knowledge.
just because you know how to do something like essentially unbreakable steganography in video sequences doesn't mean that it's something you need to share with the rest of the world.
So, that's why I get all those VIAGRA messages?
One thing to note, however... Once you start mining information from a Zombie (which -- to be honest has already been done), it makes it easier to identify the zombie and shut it down. (I.e. if I get a spam with information from mikie's machine, I'll immediately phone him and tell him to shut down and clean up his machine. Now mikeie's machine is unavailable to the spammers.)
I think that that is the real reason why zombie systems don't use data mining.... It's like an 'undercover' cop who fingers every low-level pusher-addict he runs into.... He'll never live long enough to get the information he wants on what goes on inside the biker gang's 'clubhouse'.
This is one of the things that I do... I wrote a filter that peels apart an email, removes the 'legitimate' IPs in the Received: headers collected en route, and attempts to send an email to the IP responsible for the source of the email. It usually takes them a while, but they will shut down the responsible zombie.
I stopped doing that for a couple of months, and my spam climbed to unbearable levels. I started using the script again a couple of days ago, and the spam I've been getting has already dropped noticably.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Every day I get quite upset by opening my reallife mailbox.
It's totally unacceptable: Buried below a ton of trash I find two seriously dangerous invoices with 4digit numbers in the red. If I ever miss out one of them I'd probably go to jail, but hey, why not throw another pizza flyer on top of all that, the planet sure can handle this and what else are those trees for?
Personally if I was going to choose I'd vote for e-mail spam just to get rid of this total waste of ressources.
There should be a LAW against this, and against buying from spammers, reallife or virtual.
Fortunately for those who detest spam, the authors also present four new defenses that could help stop this newer, more personalized spam. First, e-mail archives can be encrypted, making it difficult for malware to mine them for information.
WOW - so I've got to accept that my computer IS broken into and encrypt even local data? Thank you very much - my computer would rather not be broken into.
Second, these archives can also be "salted" with false information such as spam trap addresses. Third, the authors suggest that all URLs followed from an e-mail client be viewed in a "sandboxed" browser that would prevent automatic downloads.
Sandboxed browser? Ok - they're joking. Who uses external content displaying in their mail? And anyone hasn't got a "HTML=+80% spam" rule in mail client yet, generated AUTOMATICALLY FROM EXAMPLES?
Finally, anti-spam filters can be adjusted to better screen for these types of attacks.
Care to elaborate?
Ok - this is all going in the wrong direction. Why shouldn't I trust *my system*? Why should I allow my incomming mail to use outside objects? I thought that people, who can build a natural-language-messages data mining / composing system can understand basics of home computer security...
Besides - if spam will mimic a friend's style and probably send mail as that friend - then you know exactly who to filter out and who needs billing for a "PC security" lessons
I can't speak for UKian snail mail, but here in the US critically important mail -- usually legal mail -- is sent return receipt requested. Meaning that someone has to sign for the mail, and if no one is available to sign one must go to the post office to sign and pick up the letter.
There is nothing analogous to that in email. Primarily because there is no mechanism to first ensure authenticity and then ensure delivery. A public-key cryptographic system that used hardware level keys (or key generation) could at least ensure authenticity point to point during envelope exchange. Knowing for certain exactly which host sent a message would mean being able to track down hosts sending spam. It would also mean being able to reject mail from specific hosts, rather than ever shifting IP addresses.
The whole point of the spam business model is that it's low-cost. Any filtering would raise costs compared to simply flooding the world with the same payload.
If spammers were in the slightest interested in addressing their markets, I wouldn't be seeing several thousand Asian-language spam per day addressed to a North American mail server. None of us would be seeing spam with hash-busters, mangled "Subject:" lines, and other filter avoidance hacks.
This seems like one more attempt to promote the idea of "good spam" for mainsleazers like Kohl's department stores.
Lacking <sarcasm> tags,
This is my own personal opinion, but I think e-mail has to go in the direction of EASY TO USE crypto based authentication. This technology already exists (pgp) and is used heavilly by the computer security industry. it would make a lot of sense IMHO if EVERY e-mail from my bank was cryptographically signed using the bank's private key. Websites are encrypted and authenticated using public/private key cryptography (SSL) why can't the same thing be done for e-mail?
If Microsoft, Apple, Ebay/Paypal, Verisign, a few banks etc... got together, agreed to a SINGLE existing standard, and implemented it in a transparent and easy to use way, it might go a long way to reducing spam. Citibank could say, "all e-mail we send is cryptographically signed by Citibank. If you get an e-mail that is not signed by Citibank, then it isn't from us." Obviously there are still USARS out there who wouldn't get it, but i think this would be a big step in the right direction.
(P.S. Yes I know a variety of e-mail programs implement various crypto stuff already, but as far as I can tell, almost no one uses it or knows how to use it.)
there will always be a relatively small percentage of people who show maladaptive behavior. Just as there is a much larger percentage of people willing to take advantage of those unable to control themselves. It's criminals and their victims vs. everyone else.
The solution is not to be found in expecting *everyone* to change their behavior, because such an expectation is bound to fail. The solution is to be found in tightening up the mechanism behind data authentication and transport, both with technology and laws. Just like as was one with snail mail in the past. At one point the government realized that mail needed to be stamped, tracked from post office to post office, and then hand delivered by someone responsible. Well, we needn't charge to stamp email - but we certainly need to stamp it with an immutable ID, track its movements from host to host with immutable ID stamps, and then authenticate delivery at a specific host.
This can only be done with cryptographic hardware installed on every machine, and a new SMTP protocol. Sucks, doesn't it. Bye bye anonymity, but at least it would get rid of spam. Pick your poison.
Damn spammers hiring researchers to figure out better ways to get spam delivered. Don't they teach ethics anymore?
This also qualifies as a DUH! Of course if you send spam that looks like it comes from someone you know it has a better chance of getting through.
And yet, if you look at any posts about how Microsoft or Sony or whatever are trying to keep their software's flaws obscure so they don't get exploited, the Slashdot community generally rails on them like there's no tommorow. So hypocritical.
I thought people here were generally smart enough to know that security by obscurity doesn't work. Just because Joe Spammer doesn't care to tinker around to make his spam more devious doesn't mean Joe Hacker isn't gonna do it just for the hell of it and pass it along to Joe Spammer somehow.
I'm reminded of Mark Buller, the guy who improved the accidental enhancement mousepox into a 100% deadly disease even in mice vaccinated against it. A guy named Ramshaw was researching transmissable mouse contraceptives to deal with an overpopulation problem and spliced a gene for the immunosuppressant IL-4 into mousepox. Unfortunately, this led to the death of 60% of the test mice. Buller published research where he expanded on this idea by putting the IL-4 gene in a better spot and put in another gene to maximize production. This killed mice even treated with anti-viral drugs with a nearly 100% fatality rate.
Fortunately, however, Buller seems to have tried to make up for this a little by having come up with a counter-measure. This provides a hope for some people to live in case of genetically engineered smallpox, but I don't think that the kind of drugs required are even close to being common and inexpensive enough to help the public at large.
One of these days, I'm worried that unethical or thoughtless biologist are going to publish exploits for the human immune system, and one of these days technology is going to get cheap enough and ubiquitous enough for the biologist equivalent of a script kiddie to wage genocide. I'm worried that in the next century, we're going to get an object lesson in just how hard it is to "patch and update" our immune system.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Talk about hitting the nail on the head. Who knew an 18-year-old needed Viagra?
The TREC tests involved tests on 350,000 email messages. A 92,000 message public corpus from this effort is available for free download.
John Graham-Cumming (no relation to TREC) has created SpamOrHam -- a community-based effort to adjudicate the judgements in the TREC corpus. This'll let us test in a big way Yerazunis' contention that spam filters are better than humans.
Any filter writer can participtate in TREC 2006 by submitting a letter of intent now and a filter in due course.
There's also an upcoming scientific spam conference this summer - CEAS.
As far as the load on mail servers, there's plenty of middle ground between waiting for an RFC or capitulating to DRM to fix the SMTP problem. Mindshare is the only real obstacle between the way things are & a least-privelige mail system that uses strongly signed logins integrating a sender/receiver pair hash. Hell, I'd use & spread an alternative and experimental system like that, standards be damned. I mean, where's the W3C spec for onion routers and torrents, et. al?
Pi Ran Out