Slashdot Mirror
Bot Nets Behind Recent Spam Surge
gsslay writes "Everyone must have noticed a surge in spam recently, particularly for stock pump 'n' dump scams. The Register reports that anti-spam companies have seen a 30% increase in the last two months and, more worryingly, more of this spam is getting through to mailboxes due to the spammers' change in tactics. Rather than use unsecured mail relays spammers are using bot nets, making spam harder to identify and eliminate. Bounced spam is also on the up, and some experts reckon it's past time to start worrying. "
Honestly, it was past time to start worrying about 2 years ago. Two years ago I was had the feeling that the rising amount of spam was going to cause significant problems to the point where mail servers would no longer be maintainable and the internet may become unuseable. But now here we are, nothing truely significant. More spam taking more space and driving the load up a bit on servers, but not necessarily cripling everything as we expected.
I also haven't really noticed this increase that people have talked about lately. On average I receive over 11,000 spam messages a month to my primary email account. Here is the count per month for the past two and a half years:
2004-07: 9088
2004-08: 9057
2004-09: 8990
2004-10: 14318
2004-11: 9910
2004-12: 11521
2005-01: 11251
2005-02: 9381
2005-03: 10843
2005-04: 10084
2005-05: 11785
2005-06: 10987
2005-07: 10505
2005-08: 9333
2005-09: 9704
2005-10: 12329
2005-11: 12394
2005-12: 14934
2006-01: 13764
2006-02: 13235
2006-03: 14562
2006-04: 11946
2006-05: 14204
2006-06: 13801
2006-07: 9671
2006-08: 10395
2006-09: 11373
2006-10: 12221
But this Bayesian strategy has been overcome by the spammers. They use hilariously strange word ordering trick the spam filter and lower their threshold (see Graham's Lisp code) down to an acceptable range. Here's a piece of text from some spam that made it into my mailbox this morning: And it goes on for about 7 paragraphs with absolutely nothing to do with its pitch. It's because of this nonsense that it makes it into my mailbox in the first place.
How do we eradicate this problem? What strategies do we use next?
Well, I would suggest that we stick to the Bayesian approach but instead of tokenizing via Paul Graham's proposed algorithm, we could investigate tokenizing the text based on letter groups (divide 'words' into 2-3 letter groups and test for those frequencies) or even natural language parsing. Yes, I know it sounds absurd but I really think that an engine could be written in Prolog using WordNet or another dictionary with some basic English rules in an attempt to parse and analyze incoming text.
Who knows? Perhaps our need for a spam filtering engine could breed innovation in the AI community?
My work here is dung.
It's not about the amount that comes to you, but rather the tactics being used. I think the spammers have learned to make it past Bayesian filters and, as a result, we can't just automatically dispose of mail. More and more of it is making into mailboxes whether it's attaching dummy text to fool the filters or just making the pitch come in the form of an image and using good text to get that image to the user.
Are your mailbox counts filtered or unfiltered? If so, what strategy is used?
My work here is dung.
Everyone must have noticed a surge in spam recently, particularly for stock pump 'n' dump scams.
You mean I wasn't getting emails for being the most popular penny stock buyer in America?
How do those spammers make money from sending spam about penny stocks. What is their hope? That someone invests in the penny stock? How does the spammer benefit?
I've been noticing a lot of the pump and dump spam recently, partly because non-existant addresses associated with a domain I own have been used as return addresses. I've also recently learned that the address of an academic website I maintain on a university server was poisoned on at least one major DNS so people accessing the website were redirected to a fake site that attempted to take over their machine. It's really getting rough out there.
LOOK!!! A clue!!!
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
Worrying is a waste of time. Thinking critically about the problem to find a solution is what should be done. I don't submit my email to non-trusted entities. I don't publish my email on the internet. Consequently, I do not get much spam. I did in the past when I did not adhere to these practices.
I think 2 simple solutions can be combined.
1- As in IM, no one can email you if you have not emailed before.
2- For first time email, the receiving server could sent back a http://en.wikipedia.org/wiki/CaptchaCAPTCHA or a product of two large primes to factorize.
The captcha would be solved by the human sender, or the factorization problem by her MUA. Nowadays email is almost instantaneous, this would not add a noticeable delay. All the protocol could be implemented over current email protocols with little modification to existing software.
Even worse than the spam itself are the advances in malware that are being made by the companies that create these botnets. They have gone from using simple exploits and scripts to creating rootkits that are nearly impossible to detect and just as difficult to remove. In some ways, this could be a good thing because it is going to force OS programmers to create systems that are much harder to tamper with and I think that they will be fairly successful within a decade, but it's going to be a rough ride in the meantime.
Spam only requires something like one response to be successful. Do the pump and dump schemes even get that? They'd need to trick someone who is savvy enough to understand something about the stock market, who surely must be all be aware that some people will try unscrupulous means to try to fleece them.
Can they even measure the effectiveness of their marketting?
Over the last couple of months the spam count on my mail server has gone from an average of 10K a day to over 20K a day. I had to turn off virus scanning and actually drop some of my spam filtering because the server couldn't process the mail fast enough. Now I'm having to upgrade the mail server hardware to handle the increased SPAM load. I'm sure I'm not the only one forced to do this.... SPAM gone from an annoyance to a financial problem.
Credit where credit is due: this article is from SecurityFocus. The Register just scraped it.
http://www.securityfocus.com/news/11420
-- http://frobnosticate.com
If we could OCR these incoming images, maybe that would eliminate at least the deluge of stock pumpers. I made the mistake of setting an autoreply on my account recently (at the server end). Now I get a zillion bounce-spams using my domain (I monitor a catch-all) and randomly generated usernames.
I think law enforcement should be working harder at catching spammers (internationally, if necessary) than they are at tracking down copyright infringers. Not because of any moral posture, but because I suspect the total economic impact of spam is greater than infringing use of content. I also think the prohibition against cruel and unusual punishment should be lifted.
Hey, now that I come to think of it, maybe spam is a bigger issue than oil. I say we start invading countries with spammers!
Is it just my observation, or are there way too many stupid people in the world?
Most of the eBay phising attempts I get are pretty laughable, but this was good enough to be worth warning about, as someone has finally written a sophisticated enough phising bot to send these out based on listings.
So, if you weren't already doing this before, to answer eBay mail, go in through your MyEbay link rather than any mail link to answer eBay mail.
Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)
http://www.lawrenceperson.com/
I saw this on securityfocus.com* and TBH I just thought "tell me something I don't know" - seriously, who is suprised by this?
*http://www.securityfocus.com/news/11420
so I can smash their FN hands with a hammer.
They'll have to do their spamming by holding a stick in their FN mouth.
I'm so sick of this shit.. They fly in totally under spamassassins radar. I have SA threshhold set at 2.1 and this shit still scores less than a 1.0..
I'm about ready to whitelist the people I know and blackhole everything else.
Skilled consultants provide help by phone in English or Spanish, while field technicians are available for in-person assistance when necessary. Parabolic reflectors eliminate brightness while delivering light in uniform optical distribution.
Optional curved nickel-plated blades facilitate color blending. square mesh and polycarbonate panels.
Solution also offers automatic synchronization of contact changes from server. On all models, each input is rectified by photo-coupler diodes and polarity insensitive. Select models offer inputs with change-of-state detection capability. In infrared mode, users can scan hot, moving, electrically energized, and hard-to-reach objects. In infrared mode, users can scan hot, moving, electrically energized, and hard-to-reach objects.
Adjustable legs assist in leveling and positioning, while bi-directional fork pockets allow mixers to be picked and placed by lifts and fork trucks.
(Posted anonymously for obvious reasons. Yes, this is an excerpt from a message I received this morning. Yes, there was a graphic for a stock scam above all the text.)
There's something I don't understand. Maybe I'm too naive but I would have thought this kind of pump and dump would be illegal ( the stock trading part of it at least ). So shouldn't it be easy to trace just who bought 10,000 actions of xyz to begin with and start asking questions?
I recently saw a surge from about 15 spams a day to well over 200. So, I got a spamcop account, and changed my email to go there, and then from there I forward it to where I read my email. Now I'm back down to about 15 per day. Spamcop catches the rest, and they land in my 'held mail' folder, where it takes about 10 seconds to report as much spam as I want. In the email account where I actually read my email, I pushed up the sensitivity of the spam filters, and now I see maybe two a day in my inbox. I just report the rest to spamcop.
Maybe we need bots to fight the bots. Bot Wars. In a galaxy far, far, away...
"We are all geniuses when we dream"
- E.M. Cioran
Where are those anyway? I never saw them.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
no text
More music, fewer hits
I just assume that anything from ebay or paypal or a US bank is phishing. Do they ever send out legitimate emails?
Fallacy of composition: Everyone must have noticed a surge in spam recently
If law enforcement really wanted to catch these pump-and-dump spammers it would be easy to do. Just investigate the people who have purchased large volumes of the penny stocks being spamvertised. I doubt anyone cares enough to do it, though.
Oh, and Slashdot? If you keep hitting me with animated advertisements that cannot be closed, I will be moving to Digg.
this signature has been removed due to a DMCA takedown notice
It's been past time to start worrying a long time ago. There used to be a slim chance to fight spam by closing open relays (or blacklisting them) and using legal methods. But going through the legal system to fight spam is not easy in countries such as China and Russia (let alone Vietnam or Nigeria). The German computer magazine c't had an article on bot nets sending spam in april 2005:
http://www.heise.de/kiosk/archiv/ct/04/05/018/
That was pretty much the time I started worrying.
When I read that Microsoft or some other large company celebrate a legal victory against a known spammer (mostly people using their own mail servers) I really have to wonder why so many publications take part in those public relations stunts. In spam sending the supply is much greater than the demand. I get spam mail without content, or without any monetary compensation to be gained (no fraud attempt or product offer) very frequently. So by closing down the spam houses that actually have an address (those are pricks as well and should be thrown in jail nevertheless) does not make a difference in the total amount of spam. It just moves the market to bet nets, which has some added drawbacks.
I see a lot of nonsense text, but no ad. No stock tip, no viagra, etc. Just nonsense. How do you make money not even trying to sell something?
Is it just an attempt to desensitize my filters, so that maybe an ad can get through later?
Or are they just "email terrorists" trying to DoS email altogether, with no commercial agenda?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
The only way to ever put an end to this problem of spam will be to stop using Windows, or to at least minimize the number of Windows computers. While the security of Windows has improved recently, its insecurity is still the prime factor allowing for these sort of bot nets to be formed in the first place.
The first step will be to get home users to migrate away from Windows. Mac OS X presents a very suitable replacement for many people. It offers a very usable desktop environment, as well as alternatives to basically all of the software one would be a user of on Windows.
For those who aren't willing to spend a lot on a new or used Mac, they can resort to Ubuntu Linux. While it may not be as easy to use as Mac OS X, it still does provide a very solid desktop environment. I'd recommend replacing GNOME with KDE, as in my experience people find KDE easier to use, and it offers a more integrated and complete set of desktop applications than GNOME does.
The fewer Windows machines there are connected to the Internet, the fewer Windows machines there are that can be compromised and used to send out spam. So do your part as a geek, and help some family members convert from Windows to Mac OS X or Ubuntu.
I use crm114... It is absolutely positively the best spam bustin utility there is..
spamassassin can suck it!
Let's face it, email is a broken protocol. It has no built-in safeguards against these kinds of attacks. The problem I'm seeing is that we're giving up and just saying it's inevitable, when it's clearly not. There's lots of good methods out there that stop spam cold in its tracks. Some sort of actually enforced sender ID protocol would be a good start. The problem is that everyone thinks the current system has too much inertia, and that it can't be replaced.
Cyde Weys Musings - Scrutinizing the inscrutable
And now, for your viewing pleasure, a small sampling of what I got in the mail today!
And the second: As you can see, I love spam...
Xserv
"I love lamp."
We have seen a huge increase in the number of Joe Jobs lately, and as a consequence, our postmaster mail is filling up at record pace. Yesterday, I saw bounce notices from a single Joe Job coming in at several thousand a minute. Literally, thunderbird could not open my postmaster folder. I had to copy /dev/null into it, wait a few seconds, and open it with mutt if I wanted to see any of the data. Over fifty 50% of our processing time was spent sending mail to the postmaster admins, and we had a backlog of 25,000 messages. Our dual mail server beast could not keep up, fortunately, we found out why.
By default, sendmail uses a single queue runner. We found this, and not amavis, was our bottleneck. The single queue runner is fine for low and medium volumes, but fails miserably when presented with a huge volume of mail. So we fired 4 queue runners instead, and increased the number of available amavis children to compensate. The queue runners each have a behavior:
1) the default sendmail queue runner, starts at the front of the queue, and runs serial through it, then starts over.
2) tries to find the oldest members of the queue and process them first. Keeps stuff from being left alone for very long.
3) tries to find letters that are all going to the same mail server, and send them together. This one is awesome, as it opens a single tcp connection, and sends as many letters as it can. No time waiting for tcp handshaking per letter.
4) hops around the queue at random, and sends messages.
The combination of these four queue runners, and we have seen a huge increase in the load average on our mail servers, but we have also seen a great boost to performance. We are still seeing tons of postmaster bounces from Joe Jobs, but we aren't being slugged out by them anymore. If your mail server seems to be under performing, try this, it really does help.
--Nuintari
slashdot : where an opinion can be wrong.
I have also noticed an increase in spam.
For your viewing pleasure, here is a graph of spam per day:
http://img21.imagefiasco.com/images/eMx92293.pngSeriously, with all the guards I have in place, I haven't really noticed anything. I got three spams for all of last week ( and this address is on mailing lists. You can google it for christ's sake ).
:D )
So yeah, haven't noticed it. Sorry.
( and yes, smartasses, if it makes you happy, sign me up for whatever spam you want to; it still won't bother me.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
If 10% of us replied with total garbage to 10% of spam, it would make it a disaster for marketing. Imagine if you run a shop and every single person that passes withing 10 miles drops in and asks a question and then leaves without buying anything.
Suddenly you can't find the people who want to spend money and bang, your business fails.
So next time that you get an email saying that the have found 10 ways to remortgage your house, reply, tell them you have an average 3 bed in an average address with an average income and let them waste their time replying.
Why not ask them to send some brochures by snail mail - that will cost them money.
Set up a ???mail account that you use only to reply to spam, and consider it a sport to see how many emails you can get a day.
Or just use gmail and let it filter the spam like I do 8-)
D
http://davesboat.blogspot.com/
I'm mean why upgrade your mail server hardware or what ever you guys do. Come on bots have a very distinguished signature on the net combine that with location and you know whom to talk to, or allow to connect to your mail server. This is actually not rocket science. IFF the ISPs wanted too they could stop all SPAM and DDOS at the beginning, before they cost customers money. But whom would they sell bandwidth to?
I got 1 Spam the last 2 Month.
No. Bayesian filtering has failed, just like every other filtering method before it. Modifying it will not work. Adding OCR for image text will not work. Creating a new filtering mechanism will not work. The spamming will continue, more and more of it will get in.
Frankly, given that both processing power, disc space, bandwidth etc, are all increasing, I for one foresee the current spam/ant-spam arms race continuing indefinitely, with the amount of spam sent slowly increasing, and the amount caught by the filters being just enough to keep the amount of spam you get into your inbox at in and around a constant level. It's an endless cycle.
I say, turn it all off. All of it. The filters, the blacklists, the whitelists, Spamhaus, the lot. Let every single spam sent reach its destination, if just for one day. Let Joe Sick Pack finally realise the scale of the problem and just how much strain is being placed on mail servers. It will be both terrible and beautilful at the same time.
Then take off and nuke the site from orbit. It's the only way to be sure.
May the Maths Be with you!
So you got lucky.
What's your point?
Sigs are awesome huh?
You've basically described what BlueFrog used to do. IMO, they were the most effective counter-spammers; so effective that some spammer DDOSed them to death. (And not just them; their DNS provider, LiveJournal, and the anti-DDoS service they tried to use to survive the attack). Based just on the response they got alone, I'd say they must have been hurting somebody.
If you missed the story and don't want to read all the old Slashdot articles from a few months ago, there's a big article about it in this month's Wired.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
This is my own experience. I once got a library card, and gave my email address. Within a month I started receiving a huge amount of spam using my name, physical address, and/or email. I moved (for other reasons ^_^), and got a new library card. I set up an email address specifically for using as my library email. Same thing happened. In a few years I moved again, new card, new spam. I got a ticket. I gave my email address to the municipal court. Within a month, more spam. I worked for the state for a while. I set up an account specifically for that and had no mail until I had given the state the email address, and then I started getting spam. So, my thinking is, it is the government or at least my state government that has issues with security.
> Oh, and Slashdot? If you keep hitting me with animated advertisements that cannot be closed, I will be moving to Digg.
Hahahahaha,...good one.
I've recently enabled the FuzzyOCRplugin for SpamAssassin and it works really well. It uses gocr to convert images to text and then runs the text through a simple word check.
I manage quite a few email domains, with a total user base over 2500. Spam has really gotten out of hand over the last year and I've had to become much more aggressive. The combination of SpamAssassin, RulesDuJour with SARE rule sets and the FuzzyOCR plugin is pretty effective.
I had real hopes of Bayesian becoming the best tool for anti-spam, and it is very good for individuals, but trying to maintain an effective Bayesian database for a large number of users is difficult and always holds the threat of false positives. For example, if a user is having mail problems, they are very, very likely to send themselves an email with a subject of Test and no content. This seems to hit pretty high in any Bayesian database I've built.
Who knows? Perhaps our need for a spam filtering engine could breed innovation in the AI community?
Such an approach may generate capable and powerful natural language parsers. Rock on. But as a solution to spam it really is a case of "naive (computer) scientist."
The most direct approach to stopping spam is breaking these botnets and the most direct real-world approach to breaking these botnets is cleaning up the mess that Microsoft has made of their OS.
And I'm not flamebaiting because if it were Linux or Mac OS botnets sending out this spam, the most direct approach would be to clean those operating systems, too. The most effective solution is one that responds to the reality, what scientists mean when they say "the natural world." In computing, the natural world presents us with the undeniable fact that the computers out of which spam botnets are built are compromised Windows machines. Fix Windows (largely done in XP) and kill Windows pre-XP.
Maybe Bill Gates's charitable trust should purchase free upgrades for anyone with MS Windows pre-XP. Please?
blog
In my recent experience the penny stock spams have been using simple 4 color gifs MIME'd right in the mail, surrounded with what looks like excerpts from The Da Vinci Code. It renders SpamAssassin's and Thunderbird's filters pretty much worthless.
I wonder why the SEC doesn't get involved on the pump and dump stocks? It's a closed system, and the spammers have to put the ticker symbol in the spam. They should write a new rule that says "if we find >1000 spams with your ticker symbol in our honeypot mail accounts, we will selectively suspend trading of your stock for a week". Although, I guess that would just shift the game to promoting your competitors stock via spam so they get suspended... sigh, if only email didn't scale so well-- one spam is worthless, but 1 million can make it worthwhile.
This sig is exempt from disclosure under the privacy Act of 1974.
this could be a good thing because it is going to force OS programmers to create systems that are much harder to tamper with
Could you do me a favor? Could you google "William Henry Gates III" and let me know what comes up? I'm curious what fast-food establishment he works at in your universe. Don't worry about who he is.
You're not going to believe what he does here.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I have incoming port 25 firewall blocks set up for all the Chinese and Korean netblocks I could find, plus specific blocks for hosted spammers. A few weeks ago, right after entering some Russian hosting blocks to filter out a bunch of spam that my mom was getting, suddenly my own spam levels shot right through the roof. And they were from all over the place, quite obviously botnet spam. My increase was so dramatic specifically because I had blocks for my "usual" sources.
Thank you Microsoft, for focusing so much on security, even at the expense of usability or market share. Oh wait, you didn't. You had that "Security February" a couple of years ago, and things just got worse from there.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Has anyone tried charting out these stocks they try to pump and dump to see if their tactics actualyl work at all? It blows my mind that anyone falls for those things....
Build it, Drive it, Improve it! Hybridz.org
One thing that has always baffled me when it comes to certain types of SPAM is the audacity and lack of fear of the spammers. We need m?re cases like the recent spammer that got a jail sentence for spamming AOL. One issue that I've always found laughable was that "the spammer cannot be found." Sure they are using bogus return addresses, relays, hacked machines, or legit foreign providers that are hard to communicate or track down. However, the one thing they generally have in common is a porn, mortage, medicinal, or some other website with ads/signs ups that has a unique referrer on it that ties directly (maybe indirectly sometimes) to the spammer. I watched Dateline NBC track down a spammer of porn to Canada via the referrer, ISP, and other means and they sat down with him face to face. If someone would grow a pair or was serious about stopping SPAM they would do more to go after the spammers. Look -- there's not millions of spammers out there causing all of this. The large bulk amount of it is coming from a few thousand if not less.
Great so everything I just said has nothing to do with this spam -- the pump and dump. Well, that's not exactly true either. If someone is doing a pump and dump, chances are that they have (or someone they're working with) has bought a large amount of this bogus stock prior to the SPAM starting. Hell -- since there's multiple stocks being SPAM'd -- we might even find a pattern here if we look at who has bought what. If people want to get serious about stopping not just SPAM but scams, they could consider investigating this stuff to figure out where the money is at. Don't tell me no one cares, they cannot be found, or it's too hard. It's not.
I get about 6k a day to my aging server, and the spam filtering cannot keep up. It's not an even trickle: some times of the day, it's several attempts per second. That's faster than the filtering software can handle.
Legitimate senders are getting "warning: could not send for past 4 hours" and then phoning me to ask if I've received their mail. The CPU and memory load spikes from time to time, and then it's not possible to login until it settles. (A known weak spot in Linux.) If I lower the resources allocated to mail processing, it cannot handle the incoming mail rate most of the time - it's just on the edge right now.
Now, I'm running Sendmail and Spamassassin on a Red Hat 9 box which is a 600MHz Celeron in a data centre. I'm sure all of you will laugh, and tell me to run better software on a newer OS and a better PC with a virtual machine. And how SpamFilter-of-the-day is much better than Spamassassin (it could hardly be worse).
But the fact is, updating all of those takes real time and expense. And when it's updated? It'll still be a significant load, and it'll still need to be maintained, and upgraded again at some point. I'm planning to order a server with 2GB of RAM because I think 1GB won't be enough to handle the memory load spikes for spam filtering.
Sorting all that will cost me real time and money. But at least I'll have reliable mail again and a server I can use for other things.
And that's nothing compared with the time I spend every fucking day skipping the spams in my inbox. About 5k per day are deleted by my filters. But that leaves 1k per day to skip manually - those where the risk of false positive is high enough that I need to check them. That's a pretty long and unpleasant inbox to face each day. Very unpleasant if I don't check it for a few days.
However, that has got to the point where _I'm_ accidentally deleting legitimate mails too. I have taken to whitelist-scoring my most important correspondents so that I don't accidently delete them among the spams. But that makes it even harder to respond to mail from people that have no prior connection with me, and people who haven't made it to the whitelist but should have.
Spam is definitely a financial problem for me. I estimate it costs me about $15000 USD/year in time spent deleting unwanted messages (about 40 minutes/day). Add on the hardware and software maintenance costs, and the annoyance, and the problems caused by deleting false positives.
Does anyone have a program that can crawl through a spam mailbox and pull out the IPs of the originating machines, based on the headers?
Obviously you'd have the problem of forged headers, but usually you can find an IP if you trace the headers back to the first "trusted" network (a major ISP or backbone server) and see who they received the message from. That's probably either your spam source or your open relay.
Then you could just dump the IPs into the ORDB for checking automatically, and put the zombie-machine IPs into a rolling 24-hour blacklist or something.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I think mailclients should accept mail by whitelist only. SMTP should then be extended to include a whitelist-request, which can, count 'em, contain 1 line of text of 100 characters or something; much like a subject line, so you can still subscribe to web-based mailing lists and the like. The response to a whitelist-request should also be automated by your mailclient (popup with: 'You have a whitelist request, XXX. What would you like to do ?'). MTAs can be aware of the preferences of their clients by intercepting these whitelist-responses. Spam would be useless, as it could only be formulated in the whitelist-request subject-line (much too short). APIs that send mail to (large amounts of) (perhaps unaware) subscribers, can be made to formulate whitelist-requests instead of regular mail when they get their '455 Sender not listed' response. The little bit of action at the end-user-end (doing your daily thing of whitelisting sender-addresses, or not - an activity that will eventually dry up) will be zero in comparison to the amount of action that is required at the moment.
Religion is what happens when nature strikes and groupthink goes wrong.
Is there somewhere an analysis of the current techniques used that are getting past baysian filters? Any thoughts on how to evolve counter measures?
I'm also very promiscuous with my email address... and just like you it's because Gmail takes care of all the crap, simply and effectively.
I've been noticing a Spam surge recently... but only because I keep an eye on my gmail spam category. Right now it reads thus:
Spam (5343)
That number represents the # of Spam in the last 30 days for those that don't use Gmail. For a while now I've hovered around 2000 or so... but it's been steadily climbing over the last several months. Luckily Gmail does a good job and I only end up with a piece of spam in my inbox a couple of times a week. At 20 a day flowing in, that's fine with me (and of course it's easy to spot Spam in Gmail and slap the Report Spam button without losing much time).
It is simply amazing to me that someone out there is actually giving money to these bastards! I don't know a single person who has ever responded to a piece of spam... _ever_. And I hope I never meet one... 'cause they are going to get an ear full. If only people wouldn't respond to the ads the market would dry up and go away... so, to me, the big problem here are the idiots that keep the spammers in business...
Friedmud
Is "bounce keys". Essentially, you sign every email leaving your server, and if a bounce doesn't return with a valid signature, you don't accept it. My domains have been used by spammers (I guess I got on their nerves, heh), and this stops about 99% of the bounces.
All editorial writers ever do is come down from the hill after the battle is over and shoot the wounded.
Drugs are bad, mmkkkay?
Omry.
If I could run all of the tests I want to I could iliminate a ton of the spam coming in. Unfortunately a lot of the domains my users need to receive email from don't follow basic RFCs much less recommended best practices. As a result many tests which seem great on the surface block far too much legitimate mail.
Heck even Yahoo can't be bothered to add an SPF record to their DNS. (Ok, it's not an RFC but it's a good idea just the same.)
How do you feel about emails that become the casualty of the domain owner's or postmaster's failure to do things right?
Aren't lots of factorizations just the kind of things these large botnets sending out spam today would be great at? Or even Captcha parsing?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Stop the people who are actually responding to spam!
Honestly, there are peeople outhere that buy stuff from reading spam mails, clicking on the incosed link, and buying stuff from those websites.
That some peopl get fooled by phising emails, well we can all be the sharpest tool in the shed, and these people should be helped
But the people buying stuff from spam mails, should have their internet connection cut!
I have noticed an increase lately but none of it gets to my mailbox as I run Spamassassin.
Seriously, I get 2 to 3 thousand spams a day and not a single one gets through a well trained Spamassassin. Also, it have never once flagged a real message as spam. Kinda cool.
Ah, and my old favorite... http://www.spamstocktracker.com
I've prevented a lot of this spam by simply blocking unknown_hosts.
Figuring 95% of mail servers should have a DNS A record, the others are spammers, because they don't stay in one spot long enough to have a permanent A record.
Just a theory.
Works for me.
I actually got hit once with a good email. It was a valid question to the product I was selling. I was excited about selling it because it was worth a lot of money. My excitement overcame my common sense and I logged into the phishing site. I realized I messed up when I tried to reply, but there wasn't a message from that guy in my mailbox.
I instantly changed every password that I had that used my ebay username. I changed them all within a few minutes a giving the phisher my passwords, but it made me realize how easy it is to fall for it even when you are aware it could happen. I was just excited about making the big money.
:wq
I get roughly 1000 pieces of spam per day (spread across 6 email accounts -- the big offenders are Yahoo Japan, which came with my BB service and gave me an alternate email address which is algorithmically guessable, and my college account which I used when I was young and stupid and has been floating around the spam lists ever since). Of these, a grand total of five will penetrate POPFile (Bayesian filtering and thats all). Of the 300 non-spam mails (and perhaps 25 mails of interest, the rest being work-wide distribution lists and various automated stuff that I filter-and-forget), I temporarily lose about one every two weeks, which I generally catch with a quick scan of my spam bucket for ham keywords (I would whitelist them, but it would cause more spam to fall through on a daily basis than I'm comfortable with, so I just do my pull-wheat-from-chaff routine every 10 days instead of every 10 minutes).
Now, I will say this: if you are a non-technical user who can't set up POPfile for yourself, I think email is very close to failing if not already there, especially for folks who have maintained the same address for a while. The problem isn't server loads or bandwidth or disk space. The problem is that the usefulness of email as an application is getting subverted by the costs spam imposes on senders and recipients of legitimate email. You can no longer count on guaranteed mail delivery (spare me the egghead response about email delivery having never been guaranteed -- I know the RFCs say that but Joe Average understands email to be as reliable and instant as a phone call, because thats the way it has been and thats the way it was pitched to him), and you have to spend almost as much time on non-productive tasks (digging through spam) as you do on productive tasks (receiving and acting upon information).
Help poke pirates in the eyepatch, arr.
How about an email client which does this: An email from someone not in your whitelist gets put in a holding folder and an automated reply is sent back (with a unique number as the subject) asking for just a reply to that email. When the reply arrives the handshake emails are deleted and the original email appears in your inbox.
This would mean all email from forged addresses would never be seen. The handshake emails could be automated by the mail clients (get Microsoft to implement it and you've got a standard) so mailing lists could implement it, but it would still work for people with an older email client that didn't automate it.
Why won't this work?
Sorry to say- 10 seconds to send something is "okay". Nearly 2 minutes to send something, even if it's
done in the background with a batch processing thread- it's stupid. It's as bad as the problem it's
attempting to solve. Sorry, just don't buy that one- answers to the problem need to be FIXING things
not just shifting the problems about. Also keep in mind that spammers aren't using a single machine to
spooge spam to you now- they're using botnets. What does it matter if you take 100 seconds to send the
mail message if he/she has got thousands of machines doing his bidding to send it all out? 100 seconds
to process isn't enough time to make things impractical for them to spam with these days- so your proposed
solution made it more difficult to send things for normal mail AND did NADA to discourage spam in reality.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
But with the arrival of spam spooging botnets, it becomes a little more difficult. They can forge all kinds
of legit domain name/address combos that have NOTHING to do with the actual spam (Hell, I've gotten all
kinds of bounces from my domain and others I get mail from, claiming I sent the spam and I never did any
such thing...). As they get more clever, blacklisting will become less and less effective- and can cause
other problems like blacklisting legit domains without open relays, etc. It's a reactive solution to the
problem, much like Anti-Virus programs and Anti-Spyware programs are for Windows users.
We need to come up with PROACTIVE solutions to this or it'll just keep going and going, each iteration
escalating the current problem to newer heights.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
i dont even use email anymore, even the one i signed on @ /. with is just an abandoned email address,they can come ask about product in person (automobile salvage yard)
most of the time i sit in the office and play when a customer is not buying
Politics is Treachery, Religion is Brainwashing
+1 haven't noticed more spam.
One option is SpamBayes. After a little training with the regular spam I was receiving, very few false negatives and I haven't seen a false positive in months.
Not affiliated, just a satisfied customer.
We receive tens of thousands of spams per day, but practically none gets through our gateway with CPU mostly idle!
In this order....
1) Greylist with Mysql
2) Autonomous System Number (ASN) filtering
2) Spamcop
3) Spamassassin with lots of custom rules
4) A variety of custom rules to meet current challenges
The above may be implemented with Exim or Postfix. Did it require some knowledge to set up? Yes. Does it require monitoring? Yes. Is it worth it? Yes.
At about the time that allofmp3.com lost their credit card charging rights, I started to receive this spam at an address I set up just for their service announcements. Nobody else has it, so it's clear that allofmp3 monetized their email address list.
whether its spam (SMTP) or port scanning from zombie machines the ISP must be able to spot the rogue activity and stop it.
Port scanning other machines in the ISPs subnet is not normal and likey prohibited by TOS, sending thousands (even hundereds) or emails is not normal and likey prohibited by TOS.
Why do they do nothing ??
When I say normal I do not mean it would never happen in a real situation just unlikely).
ERR 411[Max number of witty sigs reached]
Comment removed based on user account deletion
Given virtually limitless storage and the arcana of unique "net IDs", I have a proposed solution: infinite alias mailboxes.
So, you have an account with Gmail. You log in. You hit a button marked "Random Alias". Gmail gives you a unique e-mail address: b2563kfsgksg@gmail.com. You can then use this for posting on a webforum, or buying something, or subscribing to a newsletter - whatever. You can reuse this address whenever you want, and you can control where the mail from it goes: forwards straight to you, or goes into a folder marked for it, or deleted automatically, or whatever.
I think the addresses should only be used to receive mail (but this might cause issues - as you can tell, I haven't thought this one out entirely through.)
Give you regular address to people you trust - or don't, give them a dummy address, too. What does it matter? In fact, why even have a "regular address"? As long as anybody you need to contact you has a method to contact you, you're good to go. You could even coordinate your different projects and contacts by email address (this is just a side benefit, and might not exist at all. The key here is killing spam, not saving your life.)
All of those one-time address stops that destroy your account after it's created are on the right track, but not quite good enough. We also need accounts we can dispose of at our own discretion, too.
Everybody already has their separate spam accounts and e-mail addresses that they use when they don't want to possible get spammed or hassled by something they otherwise want. Why not make these so easy to create as to make any single e-mail address worthless to a spammer? You can also easily spot the people selling your address to spammers by how your address ends up on these lists. Maybe even make it so that if one account gets X% spam, it gets trashed automatically (you get an e-mail notice about the destruction.)
The major hurdle, of course, is getting providers onboard. There are other issues, too, and I'll let you guys flame me into nothing with them. But one of the major obstacles on the infamous "Your Spam Solution Won't Work" list is:
"temporary/one-time email addresses are cumbersome"
I propose that if this statement were no longer true, then almost none of the other issues on the list are relevant.
http://www.e360insight.com/show_case_doc49.pdf
All they have to do is to 'throttle' accesing port 25 restricting it to 1 connection every say 5 seconds. I mean who can manually send emails faster than that and if you really need it compleatly open have a setting in a dialog that cannot be set purly via software.
Undetectable Steganography? Yep, there's an app fo
Several posts in this thread are making the same claim, that Bayesian filtering has been solved by the spammers. Is there any support for these claims?
I use SpamBayes with Outlook and find it about 99 and 44/100 % effective. Actually better than that--I've found in addition to separating the spam from the ham, it does a pretty good job of identifying spam-like ham.
For example, machine-generated news letters from airline frequent flier clubs and the like. These aren't pure ham--they're not composed by a real person and do usually contain a lot of marketing speak, but they're not pure spam--they're likely to contain useful information such as my current balance of accrued frequent flier miles. SpamBayes consistently puts such emails in my 'spam suspect' folder. Perfect--it's not something I want to automatically delete as spam, but not something I necessarily need to see in my inbox with personal correspondence.
So, am I just lucky that these Bayesian-defeating spammers have passed me by? Or is the "Bayesian filtering has failed" claim FUD?
Not really. My ISP's Postini filter seems to catch all but a handful a day, and the spam trap doesn't seem to be any more cluttered than it nornally is. Since I don't keep records, though, I can't provide hard numbers...
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
DISCONNECT APNICDISCONNECT APNICDISCONNECT APNICDISCONNECT APNICDISCONNECT APNICDISCONNECT APNICDISCONNECT APNIC
It is simple disconnect APNIC, basically all of Asia. Most spam comes from China, India and the like. Hell found multiple Chinese and Korean IPs trying to break in to my FTP site over the weakend. Tried contacting the abuse lines, what a surprise- NO RESPONSE!!! DISCONNECT APNIC.
I recently discovered this technique...sounds very interesting. Anyone try it? Comments?
http://www.joreybump.com/code/howto/nolisting.htmBasically, set your primary MX to be always unavailable. Normal MTA's should usually immediately try the next MX server, but the fire-and-forget type of spam/UCE won't.
What are the exceptions? Certain PHP-based webmailers and the like?
I use a mail client with Bayesian filter which I configured so that every unfiltered mail goes into the basket immediately. For every kind of mail which shouldn't be there (e.g. mails from known friends or new customers) I define a new rule. Most mail clients can be configured so that the basket is flushed on every exit. This solution is simple but it works at least for me. At the beginning I had some work to define all the rules but now it works for _every_ spam so far, regardless which tactics the spammers use.
How about implementing a system where each party has to authorize each other for emails to be sent. Let's say you wanted to email a message to your friend Bill. You have Bills email and he has yours. To establish a connection between both of you, you have to send out a request to Bill first. Thing is, Bill won't ever see your request (this is to prevent both parties from being spammed by requests). Now Bill knows you and wants to email you also, he also knows you probably already sent a request, so he sends out a request to you. At this point when both requests are sent, a link can be established and both persons are notified of this.
This could be doable by each mail server and seems like good way to eliminate spam.
Every day, I take the few pump-and-dump spams, along with the others that make it past SpamAssassin and the various DNSBL blocks on my VPS, and submit them to SpamAssassin. Almost of them -- probably 97% -- came from a source outside of the United States.
... nothing is going to change. I can't begin to imagine why Internet users and ISPs are still swearing that the POP3 turkey can fly. Why in the world hasn't this protocol been replaced? All it would take is a couple of days in a meeting room with an engineer from Microsoft, one from AOL, one from Earthlink, and a few from the remaining top-10 ISPs to come up with an email protocol that would actually deny spoofing.
I know, I know, "You have proposed a technological solution to spam. It will not work for the following reasons..." Almost all of the objections people raise to technological anti-spam solutions assume that POP3 is going to be the transport mechanism for email from now until Judgment Day. If you abandon that lame-ass premise, you can actually get somewhere.
POP3 email deserves burial with VT-100 term programs and 300-baud modems. It was designed by a bunch of naive eggheads who never expected it to be used outside an academic setting, and while they did a good job at the time, it's time to move on, already.
Q: What does the "B." in Benoit B. Mandelbrot stand for? A: Benoit B. Mandelbrot
Maybe it's time to register mail servers and stop not registered hosts' traffic at the routers and firewalls. Registration can be real easy for those tech-savy people who want to run their one mail servers. Would it not be difficult for bot operators to register all their millions of bot members? P.S. Oh, slashdot, at least make your adds browser compatible....
I've also noticed this, and wonder why the hell an obvious avenue hasn't been taken to stop this: Filter all outgoing port 25 traffic from DSL/model users to the ISP's mail relays and stop it there (based on sheer volume of mail - if some granny starts sending 10,000 emails a day, it's a pretty fair bet that it's not all legit).
There, all the botnet spam has stopped.
WTF is this simple thing taking so long to do? *IF* someone needs port 25 opened, then they could request it from the ISP; I use port 25; but for the overwhelming number of subscribers this is a non-issue.
Better still, if a customer started attempting to send vast amounts of spam, the ISP could track their other network connections, and maybe find out where the IRC server is that's being used to issue commands; from there, find the other connections to that server (if ISPs collaberated) and take it all offline.
Why not also check these pink sheet stocks being pumped, and suspend trading on any with no history (the ones I've checked almost always have virtually no trading history beyond the spammers buying huge blocks of shares prior to the spamvertisement. It amazes me that there are still morons out there buying stock based on the contents of a spam email!
Code, Hardware, stuff like that.
first, fighting spam is a multi-layered problem. *just* installing a spam-filter won't help.
second, we need more awareness in the public. the politics regulate almost ANYTHING nowadays, yet they fail to cooperate in forming an aliance against spam - the very most basic thing.
spam has become a disruptive phenomenon in our lives, more disruptive than say smoking in an restaurant -- and additionally costs $$$ big time and politics love corporations.
spam needs to be defined properly in clear and easy terms (something along "anything the recipient doesn't want") and violations must be prosecuted so that *ALL* people along the chain (bot-netters AND the actual sellers) are taken off-line - literally. big time spamming must be a crime.
yet the most important thing must be guarded: freedom --
as in freedom to talk about exploits and security measures and which products/... are and are how vulnerable.
Er... s/POP3/SMTP and you might have a point. Yes, you're right, it's busted,
I'v experienced the same thing -- lots more spam, mostly penny stock stuff with inline images. The first thing I did was look at the email source, and write a regex on the single-image include and put that as a email-blocking test on my spam filter, http://assp.sourceforge.net/ ASSP this quickly put virtually all of these spams into the blacklist of the filter; after a week I turned the regex off and ASSP has been blocking it since. I agree with some of the other posters, however, if this gets escalated again where the filters start becoming useless, I'll go 100% whitelist here.
just make it illegal for Visa/Mastercard/Paypal to process payments for companies that use spam.
it wouldn't be hard to set up a community-based system where people clicked on their spam, then bought something with their special personal 'set off a flag in the visa network' credit card number.
More than a few of those and visa beat up the bank and the bank beat up the merchant (incidentally withholding any funds due).
If the bank gets more than x% of spammy merchants, they face a financial penalty from Visa.
They'll figure out how to stop it when they lose money instaead of making money from spam.
it won't stop the stock pumping, but it will stop the enhancement/drugs pitches.
then instead of telling the world how they support the olympics, visa et al can tell the world how they 'saved the internet'
VLC Remote for iPhone and Android
I'm seeing an increase..
Here's our stats for this week from our anti=spam appliances.
5.5 million inbound connections.
3 million rejected by block lists
2 million rejected by mail filters
480,000 messages passed on to the mail servers
Our spam rate is 90%.. 12 months ago it was 80%
In the last year we went from 2.5 million connections to 5.5 million..
The legitimate mail has not grown.. only inbound spam.
If you think it's expensive to hire a professional to do the job, wait until you hire an amateur. --Red Adair
I think one thing that hinders discovery and prosecution is that a lot of the pumpndumpers are Russian and other Asian mafia types, in countries where there is little recourse for stopping them.
Interestingly, in the article there is mention that spamming is less profitable, indicating that now spammers can count on only 1 in 100,000 victims responding and getting scammed whereas they could count on 1 in 1,000 a few years ago. So it seems that education and overall awareness of spam as being something to ignore is taking hold, which bodes well for the future.
However, there should be much more effort towards tracking down spammers originating in North America and Europe, as doing so will have a significant impact on the amount of spam being produced.
Cheers
Who is this delectable creature with an insatiable love of the dead?
And combined with the post above about noticing that email addresses given to US government departments causing spam influxes, it shows that the main enemy might be right under our noses. Certainly system admins are making good money selling email lists, so more has to be done to prevent email addresses being let out into the wild as possible.
However, that doesn't prevent the spammers who play a guessing game for email addresses, but it's a start.
Cheers
Who is this delectable creature with an insatiable love of the dead?
I get between 900-1400 spams a day. That sounds like a lot but Eudora handles 99.99% of them properly so the only cost to me is scanning the reject list looking for false positives. About once every ten days, there'll be something in the spam bin that's not spam so I have to look. Most Spam breaks down into the following categories
- Include a response url
- Tout a stock symbol using simple text
- Tout a stock/product using a graphic
- The subject lines clump, i.e, I'll have 40 spams all with the same or similar subject line.
How hard would it be for an isp to keep a copy of outgoing email and if a subscriber sends out email that- Has a response url that matches a spam url or
- Touts a stock that's flagged as spam
If outgoing email falls into either category, the isp notifies the user that he's sending spam. In most cases, the user probably has an infected machine and needs to clean it. The isp could, for a fee, offer to clean the user's machine or the user could clean it on his own. Until the user's cleaned their machine, their internet access is suspended. Either way, a bot is shut down.Granted, the method won't get 100% of the spam but it would snag more than half of it.
I use multiple anti-spam methods and in combination my inbox is completely spam-free. If you don't have control of your mail server, none of this is relevant to you.
1. Greylisting. Spammers typically don't retry on failure, and greylisting insists that the originating mail server behave correctly. The downside is that a few legitimate mail servers don't behave correctly, either, so you have to determine those and exclude them manually from greylisting. I think I've had to make exceptions once or twice so far, not too bad.
2. Everything gets scanned with ClamAV next, which, as an added bonus to virus protection, actually catches some phishing emails too.
3. SpamAssassin with auto-updating SARE rulesets. The downside is that it is possible that legitimate email will get marked as spam, but I glance at the folder every now and again to make sure. So far it has been 100% accurate. Be intelligent about the rulesets you use and you shouldn't have a problem. Bayesian by itself is not very effective these days.
4. Those stock scam emails with image attachments were getting through all that, so I set up TMDA, an auto-whitelist system, with a maildrop filter to run against just those emails with image attachments. TMDA sends me a list of emails once a day that are being held in queue pending confirmation, just to make sure I don't miss anything legitimate. It now seems that SpamAssassin has gotten much better at detecting this type of spam and TMDA only catches a few per user each week.
Oh, and I also use SPF but it is not yet effective. Hopefully, some day in the future when we all have flying cars and holodecks, every legitimate mail server will use SPF and I can then safely block those that don't. Until that day, all it can really do is prevent email spoofed from a couple sources. I didn't see any reduction in the overall amount of spam when AOL implemented SPF, it just didn't pretend to be from AOL anymore. Good for them.
Eagles may soar, but weasels don't get sucked into jet engines.
See http://techsec.blog.ca/2006/10/31/a_call_for_a_war _on_bots~1279868
Scorched earth tactics are required. If insecure boxes are wiped by viruse, at least bot-net operators won't get control of them. Make it painful for people who don't secure their machines. That is the only thing that'll cut down on the number of available zombies.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Still, I see you hide your e-mail on /. The only effective solution I've found is challenge/response. That pretty much kills spam. And, my e-mail is bill@billrocks.org. that's the level of protection I get from challenge/response. Try that with a Bayesian filter.
Beer is proof that God loves us, and wants us to be happy.
It would be convenient if there were some sort of Internet Czar that could decree this switch to a newer, more secure system, but that just isn't the reality. It would cost the industry billions of dollars so many will simply drag their feet and do nothing but put another band-aid on the problem. Just look at what has happened to the web, with all the incompatible websites because one company chose to extend the meaning of what HTML was supposed to be, then you get idiotic web developers who follow that company like a flock of sheep, saying to themselves, wow, what a cool feature, and include it in their website only to break that site for the millions of other users who don't use that non-standards compliant browser. If this were to happen to the new version of SMTP, it would cause a myriad of problems for companies who chose to do the right thing by following established standard only to find out that they can't get their mail out of the door. Ugh, what a mess... I wish I had a solution.
This really makes me miss the Blue Frog idea. What ever became of that? I know the company folded, but *nobody* could take its place? Or is there nobody brave/foolish enough to take on the spammers? I know there are "vampire" sites out there, such as the Artists Against 419 one, but frankly, they don't seem to get enough ... after all, the spammers still have a profitable business, somehow ...
Global warming is neither science, nor politics. It is a religion.
Maybe you missed this point, but I, as a user, haven't seen much of an increase in spam. However, as a sysadmin, I've got a neat little graph showing emails that are getting blocked by RBLs, and we're bouncing 3 times the amount of spam we did in July.
You notice it a hell of a lot more when you're worrying about your clients' email, and not just your own.
I feel the urge to strangle you. Stop using that horrible 'solution'. All your are doing is stuffing more spam my way. I have been joejobbed 5 times the past 2 months and I end up with insane amounts of these messages. I manage to filter out all the spam, but these get through. Oh, and just to mention.. Whenever I get a message from a moron solution like this I actually go through the trouble of responding so I know you will be getting the damned spam anyways. And I fire off that challenge/response message to Spamcop and similar services. Could you please stop breaking the Internet just to make it convenient for yourself?
Could be worse. Back in the late 1990s there were two companies who chose to extend the meaning of what HTML was supposed to be. It was Netscape-enhanced vs. IE-enhanced, and no one gave a rat's patootie about the standards because HTML 3 was so far behind what people wanted to do and no one had implemented enough of CSS to really use it.
At least now the standards are actually ahead of the browsers on most things, and there's really only one set of proprietary enhancements that people need to worry about (not counting stuff like Flash). Gecko, KHTML, and Opera are rapidly converging on the standards, with IE slowly lumbering along in the distance.
I think spam would drop precipitously if spammers were found dead on a regular basis...
NO, I'm not really serious, but we need laws with some teeth and rewards for finding the originators so that they can be physically stopped by the law.
Dog is my co-pilot.
Thanks to your message, you just increased the traffic load on the network between you and the spammers. Just because it doesn't make it to your inbox doesn't mean it isn't out there. You've only stopped the last hop. The only way your method will have an appreciable difference is if the majority of people used it.
Why not use true greylisting? There are many open-source greylist solutions out there for any mailer, and it's trivial to write your own. I wound up writing my own whose logic was basically thus:
- Is your class C on my whitelist? If so, accept message. If not...
- Is your class C on my greylist? If not, add to greylist and tempfail message. If so...
- Have you been on the greylist for at least 10 seconds (or 60 minutes, if your IP is dynamic)? If not, tempfail message. If so, whitelist IP and accept message.
I white/greylist the class C to account for SMTP clusters.This simple solution has drastically reduced the amount of spam that gets through to SpamAssassin, which means much less CPU is dedicated to fighting spam.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Attack of the Bots ... a somewhat long, but informative, read.
Global warming is neither science, nor politics. It is a religion.
I have a need to post my e-mail plainly on certain web-sites, so I'm not significantly increasing spam to my inbox by posting it again. I'm already on all the spam lists. I'm hoping that a critical mass will develop, and we can eliminate the vast majority of spam.
It's a bit of a pain having to go to challenge/response, but there is also new freedom. I am free to tell you who I am, and no longer have to hide. It feels good, and IMO, is worth the trouble of challenge/response.
Also, as an end-user, this is one way I can help stop spam. The filters out there are nice for reducing network traffic, but I can't control the network. I can only control my machine. This is the best I can do.
Beer is proof that God loves us, and wants us to be happy.
"And it goes on for about 7 paragraphs with absolutely nothing to do with its pitch. It's because of this nonsense that it makes it into my mailbox in the first place."
Really. See, because it still works for me. Hammy text is not weighed the same as spammy text on my systems. Doing algorithmic disection of the text and looking at ham/spam quality ratings in a decent system (DSPAM) is pretty easy. Naive Bayesian filtering removes context, but clever filtering will look at things like the relative word frequency (blogroll?!).
Anti-spam people have already moved past, you just haven't been looking.
The great part is that email spam with pictures doesn't work, because my server ditches HTML email period. Makes it harder for spammers and phishers alike.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
"Let's face it, email is a broken protocol. It has no built-in safeguards against these kinds of attacks. The problem I'm seeing is that we're giving up and just saying it's inevitable, when it's clearly not."
You're proposing a technical solution to a social problem.
Imagine if stealing cars wasn't illegial, but people clearly still wanted to keep their cars. Would you say that making the cars more resistant to stealing was the solution? Of course not, because legally people could still come along and do whatever the fuck they wanted to steal your car. Groups of people could legally work together to escalate the car thievery, since they could sell the same cars to dealers at a lower cost than actual production facilities, and it'd keep demand up for cars at the dealership.
You need to actually go and arrest spammers. Technical means only deter small-time people who are dipping their toe in the get-rich-quick field; organized criminals don't care about technical solutions because they can throw as many people at it as you can, and they only have to succeed once (see the smart cow problem).
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
It need sot be said again and again.
ISPs need to block anyone below them being used for spam, whether it be individuals, or another ISP. Then spam will stop. Period.
Have you read my journal today?
What we need is more user education. We need people to actually take responsibilities for their actions. All of us sysadmin/netadmin folk that are running around with our heads cut off trying to patch mail servers, buy more hardware for more scanning, yada yada, are not helping the problem. Yes, we are curbing spam a little. As spam increases, we will add more hardware, and more "intelligent" processes of dealing with it, but the problem won't go away. If anything, the general public is starting to realize (slowly) the issues that we actually face when dealing with spam.
:)). We can fix the problem of open relays, and servers set up specifically to spam, but we can't seem to curb the ignorance of "joe computer user."
When I read this headline about how botnets are responsible for the surge in spam, I almost laughed. Sure they are! They have been for a long time. The spam issue stems from "joe computer user" who has their machine infected, and does nothing to fix it, or doesn't know the problem exists. We need to educate these people. Should we punish them? Maybe. They didn't cause the problem, but they aren't doing anything to fix it either. Should we take away peoples "email rights" for a month if they are caught with a virus that is sending out junk mail? Should they lose internet access entirely for a period of time? I don't know. Would they still want to be a customer of yours? Would the ISP next door treat them the same way?
This siutation requires ISPs and Corporations to communicate with eachother. We all need to share best practises, and enforce decent network policy. I monitor email output on my network regularly. I sniff for virus signatures, etc. Alas, I am on a shared network where ses the other customers thaveral ISPs use the same mail servers. We get listed on blacklists because, unfortunately, the other ISPs do not enforce the same practises that we do.
I agree that secure communication from user --> server and server --> remote server needs to be in place, not just for spam protection, but for privacy issues. Perhaps there needs to be server registrations like the telephone system. Can we model email like the voice system today? Every server gets their unique ID handed to them from some organization (like ARIN, or ICANN) that you need to prove your worthiness to? I don't know.
If we all had IDs, and there was a distributed database of IDs, then we could verify that a sending mail server is legit, and we can therefore accept traffic. That's fine, but users are still not under control (I hate promoting control
Should ISPs take a more active role in specifying limitations and requirements for being a customer? Perhaps. Should we force every user to have a client/server relationship with security scanners on the ISP side? These could be looking for vulnerabilities every time a user connects to the network. Traffic can be monitored for signs of "trouble," and the user can be notified, or the problem resolved automatically.
Do I like how a lot of this sounds? No. It sounds like a government trying to control the general population by limiting their freedoms because its 'good for them.'
Should we just give in and have 2 systems of email communication? One that is limited, regulated, controlled, and one that is our current 'anything goes, your on your own' system? I'm not sure.
I do believe that general education of exactly what the issues are, and how users are contributing to the problem would be beneficial. I don't want to play the 'Evil ISP Admin' that is punishing my users because of what I deem to be bad behavior, and I don't think many of you do either, but honestly, what are we supposed to do about the personal resposibility of the users?
You create your own reality - Leave mine to me.
Some spam bots try to get around tough spam filters by using low priority MX records to deliver mail. There's a project that's helping to make this practice less effective at: slowspam.com. An explanation of how this is done is at: http://slowspam.blogspot.com/2006/09/slow-spam.htm l.
It's probably time to automatically disconnect all infected computers from the internet, just as people with anti-social tendencies are isolated from society.
You know... if you installed a challenge/response system, you wouldn't get any of those joebob messages anymore ;-)
/. topic points out, spam is now coming from botnets. I've found SpamCop useless against them.
I stuck with filters for years, and only gave up once I was having trouble finding my real mail in the forest of fakes. It's not a great solution, but it is a solution. I don't see that I have any alternative, other than actually reading the 200+ spam e-mails I get every day (I've received 5987 since Sept 4). SpamCop is a nice idea, but as this
As for 'breaking the Internet', only one bounce to any given destination is ever sent, not one per spam-email. Chances are, it's the traditional e-mail filter systems out there that are jobobbing you, not challenge/response.
If you've got a better solution for me, I'd like to hear it. Spamassasin doesn't cut it.
Beer is proof that God loves us, and wants us to be happy.
I'd even go one stage further - hold the ISP accountable for allowing botnets from their users to connect to the Internet, they in turn will disable the Internet accounts of users who are unknowingly running botnets and the users, in turn, will have to either get off their backsides and learn a bit more about how to run a PC properly (in the same way they took the time to probably learn how to drive their car) or pay someone some money (like me) to fix their PC for them.
Gentoo Linux - another day, another USE flag.
If you have something that works feel free to share. I don't run a big server for tonnes of folks but I know I struggle with trying to keep the inbox clean. My wife gets about 20 per day and I get about the same. The difference being I use Thunderbird and it does a good job of figuring out junk mail at the client level and removing it for me. She, unfortuantely uses Outlook and it doesn't do so well. I would love a server level solution to implement and am even willing to add to/change my platform if need be. So, speak up. What's your solution?
Switch to greylisting. Use OpenBSD's spamd. For more information on greylisting, see greylisting.org.
It is crazy to think that your CPU's can do OCR or statistical word analysis on all those messages.
See? That's an awesome site, but they have 2 major downsides:
1) Max 20 messages? When we all have 2+ gig accounts at gmail? Boo.
2) Addresses can be forged. That whole "prefix" thing is kind of a solution, but I think the better solution is to simply force the user to visit the email site and generate a new address first and *then* post it on a site (instead of being able to create it anywhere.) With the advent of Firefox Extensions and the ubiquitous Internet, this is really just one click away anyway.
But yeah, if they brought this into the 21st century, that'd be my idea in a nutshell. Good on you for pointing that out to me.
Make Microsoft and the user and the ISP responsible for zombies.
When there are no zombie PC's (or the difficulty of getting zombies is too much for the penny ante stuff) there will be only open mailservers and deliberate spam machines.
Maybe a few zombies, but not a botnet.
I'm sure it is, for everyone else you're making filter your mail for you. Challenge-response system users are psychopaths.
how to invest, a novice's guide
You must not forget that it is one email per challenge/response system... You aren't the only one putting the burden of spam on everyone else.
:)
I got SpamAssassin and greylisting and very rarely see any spam, and I don't miss any email either.
Let me give you some stats on that:
- August 2005 I had only SpamAssassin and 3000 messages got tagged as spam
- July 2006 I had greylisting aswell: only 200 spams reached SpamAssasin to be tagged as spam
Greylisting does burden the sending mailserver, but not by far like a challenge/response system puts a burden on everyone. Greylisting doesn't burden any users, just servers
Ok... tell me more. This grey-listing sounds interesting. I have two e-mails that regularly get spammed. The billrocks.org one goes through my home server. I can do whatever I want with it. The other goes through Yahoo, and I can't change Yahoo. Got any good link for a how-to? Thanks!
Beer is proof that God loves us, and wants us to be happy.
Gosh, I've invested all this money in this leaking roof, but it still keeps leaking. I guess I should just throw more money into it and hope it'll stop leaking eventually, rather than replace it with something of a superior design. Yeah, that just might work.
No idea why I just wrote that...
Clever signature text goes here.
Badicly you give the sender a 450 error, which is a temporary error. Any mailserver following the RFC will then retry for a period. Most spammers use botnets and zombies and just spam and run, they never look at the response from the mailserver. I am not aware of any 'wellknown' email servers that does not honour the 450 error, even Exchange does. You tell the server to reconnet after X minutes, attemots to delive before that gives more 450 errors.
sqlgrey is the one I use, there are others. sqlgrey has the ability to opt in or opt out the addresses you want protected so your scenario should world just great for testing.
Another feature I did test a while ago was something called greetpause, which waits a number of seconds before it greets the other mailserver. Wellbehaved servers (all legitimate, as far as I know) wait until they are greeted before issuing commands. Again, the spammers rarely do. If the sender sends before the greet the connection is closed. I don't use this today as it's not in the stable build for my distro, but have used it under testing with excellent results.
http://en.wikipedia.org/wiki/Greylisting
One 'warning': leave one address unfiltered, some sites use their own mail handling scripts and does not honour the RFCs. Mostly bittorentsite-type registrations give you this trouble, though.
Does anyone have a Whitelist of Major ISP's MTA IPs ?
just adding this to my while list then banning common words that are
uncommon in my industry would work for me
Type unto others as you would have them type unto you.
SPAM is the "meat". Spam is email. Get your technical terms right d:
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
Well obviously there has to be a bunch of idiots buying crap off this spam or they wouldn't even bother. So somewhere some idiot is opening a spam mail going "Hmm, I would like to be able to ejaculate more" or "hmm Im interested in this forex " and then buying the shit. Not only one idiot but thousands or they wouldn't even do it. Spam and botnets are a huge scourge to the net. I always blame windows and their shitty os for all the botnets and spam, well its many things. I do know blacklisting doesnt really do no good, as most blacklisted ips have never spammed. Something has to be done about spam and botnets both or the net is in trouble.
Bayesian still seems to work decent for me with spam bayes and spam bully I guess it comes down to how you train stuff. But i havent been getting too many false negs even on this new crop.
Another problem is that some mailing list servers (especially yahoo's) generate a new return address for every message - even if it's the resend of the same message. This results in the greylist thinking it's a new email on every reattempt and the mail never gets through. So you end up having to whitelist those servers and so the spam gets through anyway.
(Except for some broken MS crap, but that's broken MS crap).
Add this to your procmail, or something equivalent to the equivalent:You will not lose anything worthwhile, and you will no longer see stock spams.
Spambot randomizes subject line with amusing results:
One day at work I received a spam with the subject line "rump polish".
Better still, if you notice a machine sending vast amounts of spam, root it yourself and corrupt the network drivers, taking it off the air... ;)
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
Spammers, ad-ware writers, and other scum have made many, many people's online experience a nightmare. While most people try to defend themselves by installing spam filters, spyware detectors, anti-virus programs and other software, spammers continue to come up with yet even more insideous ways around these defenses with impunity. We have even asked the government to help us, and what does Uncle Sam do? He passes a law that is most favorable to spammers. The law is called the CANNSPAM act. CANNSPAM puts the burden of "opting out" of spam on us users. We have been instructed many times by anti-spam gurus to not to reply to spam or visit a spammer's websit in order to "opt out". This is because spammers in many cases use these opt out requests to confirm an actual working email address. Spam filters in many cases miss some spam and can actually flag very important legitimate email as spam. Again, we are punished while spammers continue to profit.
Spammers will continue to spam as long as there is money to be made in doing so. The economics are on the spammers' side. If a spammer sends out one million spams that advertises a product, and only one person out of ten thousand buys the advertised product, the spammer has made one hundred sales. These sales were generated at little cost to the spammer, and at big cost to users and internet providers. The Internet service providers have to pay the costs of storage and equipment to process the spam. Time is money, and many users spend their precious time deleting spam, upgrading filters, etc. If the user is at work, then their company has to pay for this time in lost productivity. The same thing goes for malicious software that generates popup ads, skews search engine result, etc. People can continue to use their antivirus, antispam, and antiadware programs to try to protect themselves, while the bad guys continue to get away with their spamming, pop-up advertising, and search engine skewing with impunity. Using defensive means to defend against spammers is much like putting one's hands over one's face in order to protect against the punches of a schoolyard bully. One might keep a specific blow from blackening an eye, or fattening a lip, but he or she has so far done nothing to deter the bully from throwing even more punches. The bully will continue to throw punches as long as there is satisfaction in doing so. It is only when the bully is confronted with a crowd of angry people, or a damned good fighter does he or she have an incentive to quit throwing punches. As it goes with bullies, the same thing goes with spammers. Punching back can definitely be a deterrent! Spammers will stop spamming only when the cost of spamming becomes higher than the profits made from spamming.
I have written a Java-based program that will work by following instructions on how to sumbit complaints via order forms on spamvertised websites. Instruction files will be cryptographically signed and distributed via a peer to peer network. My program is designed this way so that spammers cannot maliciously modify instruction files to attack innocent websites or shut down updates. The main obsticle to releasing it at the moment is programming uPnP to allow home routers to allow incoming connection. I am willing to collaberate with anyone who has Java UPnP experience to resolve this one last issue
USPS. All those tenured workers have a huge vested interest in promoting the demise of e-mail so people will go back to good old fashioned letters with stamps.
Why not use digital signatures? I cannot wait until Thunderbird's spam solution will allow me filtering based on signatures. Then my tactic will be:
1. Apply a whitelist for prior contacts (if I send email somewhere, they should automatically get on my whitelist)
2. Check signature (existence and validity) if ok, then accept email as legitimate. (Note that the signature should cover the headers as well; this way the generation of the signature is processor time costly, so spammers will not even be able to afford it in large volumes.)
3. Discard rest of email as spam or apply more filtering.
I already digitally sign all my emails.
I run a home mail server, and have pretty much always used Spamhaus sbl+xbl. In addition to that I run Spamassassin. Lately I've noticed more and more spam of the image-variety, coming from dynamic IP addresses for cable and DSL. Spamassassin is ineffective against this type of spam, so I decided to try dul.dnsbl.sorbs.net. That same day I enabled it, my mail server rejected 1200 inbound connection attempts as a result. That's a lot less work for Spamassassin to do!
.de domains no longer accept mail from IP addresses listed as "dynamic" (I'm on a static IP, but it's from a dynamic IP range).
There is no legitimate reason for a dynamic IP address to connect directly to my mail server, unless it is somebody else who runs a home mail server on a cable/DSL IP. In the that case, if they're smart enough to run their own home mail server, they should be smart enough to configure smtp transport maps to direct mail to my domain via their ISP's mail server. I've already had to do this myself, as I discovered that certain
If all ISPs followed suit and blocked incoming SMTP from dynamic IP addresses (other than their own), spam would be dramatically reduced. I'm not talking about open relays - I'm basically saying that ISP mail servers should only accept mail from static IP, genuine ISP or corporate mail servers, even when the target recipient is a domain they host. This would pretty much make bot nets useless to the spammers, and force them to revert to running their own mail servers, or trying to compromise other legitimate servers.
It wouldn't eliminate the problem, but would severely reduce the number places we have to fight spam.
That would be the next step beyond challenge/response, once the spammers figure out who's on my whitelist and masquerade as them. However, I haven't seen this issue in the wild yet, except for some annoying spam claiming to come from me. Naturally, I'm in my own whitelist.
Beer is proof that God loves us, and wants us to be happy.
Er, it has been around for copying and pasting for some time already. Thank Cory Doctorow for this one.
Depends on your freylisting service. Mine whitelists if domain + sending IP sends more than 10 messages, so it's not am issue.
Simpler generalization: NEVER follow a link in an email without checking, any more than you'd open an attachment in Outlook.
Here is where the real solution is found. You have to charge for sending e-mail. I can imagine people yelling "What?!? Never!" but in all honesty, that's the only way spam will ever be "solved." Whether it's a fraction of a penny per message or a limit on how much mail can be sent in a given time for free (or to how many people), it would be a minor price of business online that would have a real impact in spam. It starts looking a lot less appealing when you have to pay before you hit that eventual one-in-a-million recipient that buys the product.
The hard part? Migrating from the current system to the new one. Perhaps it can be pitched as "clean e-mail services" that don't run like every other SMTP server. There are certainly bright people out there, I am just waiting for this idea to be picked up by them.
Thanks for the description. Greylisting sounds like a positive step, but I'm not able to enable it. Yahoo does their own thing, so I can't work with that account. Stupid Pac Bell is blocking INCOMING port 25 (bastards!). To get mail to the billrocks.org server, I have to pay a relay service $10/year to forward it to another port. So, I'm never directly contacted by the spammers.
I got 48 spams since reading your post about greylisting. Is there anything else I can do? Thanks.
Beer is proof that God loves us, and wants us to be happy.
SpamAssassin and greylisting kills all my spam (both home and at work) without false positives (I don't monitor everything, but do some regexp checks).
I can admit I kinda cheat a bit: Since I'm Norwegian bayes is way more effective than for English-speaking users.
But I got SpamAssassin using razor2, pyzor, dcc, rules du jour with all rulesets and some custom rules to score messages from Brazil, China and Korea a bit extra.
Being both non-English and non-US probably makes this war a whole lot easier. The few times I get hit with Norwegian spam I contact their ISP and get them shut down and then file a complain with the right authorities. Happens only 1-2 times a year, though.
To me it is vital to be able to run my own mailserver. Blocking port 25 inbound seems like a greedy ISP, but 25 outbound is reasonable. I just smarthost all my outgoing through my ISP's mailserver.
I've been using a catch-all for years, but the spammers finally found out about my domain about 6 months ago, and forge it as From: my domain, and the bounces have been coming to me as well. First thing I did was implement SenderID/SPF, hoping that would at least make a dent in it, but no luck. Finally, I took a few hours to go through my email and manually add forwarders for every address I've given out (many 100s), and disabled the catch-all. Not only will I not see the bounces now, but the spammers will have less luck using my domain, since more and more servers implement sender-checking and can reject the spam before it's even sent, as your other reply mentioned.
.... that is a bit extreme.
IANAL but write like a drunk one.
Took a ton of load off my mailserver since so many fewer emails get fed to spamassassin, and no one has yet called me to ask why I'm rejecting their mail. Regarding the delay, if you're not on the whitelist, I give an email a 10 second delay by default, but a 60 minute delay if your IP is listed as dynamic. Most spammers don't retry at all, and very few retry for the full 4 hours that they're required to.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Now imagine if ebay started using GPG/PGP on it's email and encouraging the masses to use and understand the technology. (Even at the "here take this plugin" level.) * Plugin deletes ebay messages that don't match PGP/GPG.
More and more people are reporting spam asking why are they receiving the bucket loads of spam all of a sudden, so this is experienced everywhere. http://www.cybertopcops.com/report-spam.php
www.cybertopcops.com