Bot Nets Behind Recent Spam Surge

gsslay writes "Everyone must have noticed a surge in spam recently, particularly for stock pump 'n' dump scams. The Register reports that anti-spam companies have seen a 30% increase in the last two months and, more worryingly, more of this spam is getting through to mailboxes due to the spammers' change in tactics. Rather than use unsecured mail relays spammers are using bot nets, making spam harder to identify and eliminate. Bounced spam is also on the up, and some experts reckon it's past time to start worrying. "

AI to Stop the Spam

[eldavojohn]

I know it's an old article, but Paul Graham's A Plan for Spam seems as applicable now as it ever has. It's not the best but even when international alliances (albeit recently formed) can't stop spam, you have to start using your imagination.

But this Bayesian strategy has been overcome by the spammers. They use hilariously strange word ordering trick the spam filter and lower their threshold (see Graham's Lisp code) down to an acceptable range. Here's a piece of text from some spam that made it into my mailbox this morning:

However 'Beyond' is also butt ugly, the first week's worth of posts are a bit boring and the blogroll is narcissistic.

And it goes on for about 7 paragraphs with absolutely nothing to do with its pitch. It's because of this nonsense that it makes it into my mailbox in the first place.

How do we eradicate this problem? What strategies do we use next?

Well, I would suggest that we stick to the Bayesian approach but instead of tokenizing via Paul Graham's proposed algorithm, we could investigate tokenizing the text based on letter groups (divide 'words' into 2-3 letter groups and test for those frequencies) or even natural language parsing. Yes, I know it sounds absurd but I really think that an engine could be written in Prolog using WordNet or another dictionary with some basic English rules in an attempt to parse and analyze incoming text.

Who knows? Perhaps our need for a spam filtering engine could breed innovation in the AI community?

Re:AI to Stop the Spam

[denoir]

Who knows? Perhaps our need for a spam filtering engine could breed innovation in the AI community?

There are already far better methods than Bayesian classification. For a comparison with neural networks and support vector machines see this blog posting.

So why aren't they used? The answer is two-fold. First of all Bayesian filters are very fast to train and very fast to use. Neural nets are computationally expensive to train and fast to use while support vector machines are expensive to both train and use.

The other reason is that apparently the people writing the mail clients have little or no knowledge of the more advanced methods while the people in the "AI" community seem to have limited interest in spam filtering.

Also, in the long term, server-side filtering is the only acceptable solution. Even with an adequate client-side spam filter, you have the problem that you are downloading the mail from the mail server. This not only puts unnecessary strain on the server but can be quite expensive if you for instance are synching your mail on your cellphone. And server-side anti-spam software is developed at an excruciatingly slow pace.

Finally, the second front must be legal. Wouldn't it be nice if the law enforcement agencies focused on getting the spammers rather than chasing file sharers? Unfortunately, there seems to be little interest for that in the US (the primary source of spam). In the EU it is illegal to send spam to somebody if you haven't gotten explicit permission from the person you are sending it to. In the US it isn't illegal unless the person you are sending it to hasn't explicitly forbidden you to do so. A change of the US system to the one they have in Europe would be preferable.

Smarter Spammers

[eldavojohn]

It's not about the amount that comes to you, but rather the tactics being used. I think the spammers have learned to make it past Bayesian filters and, as a result, we can't just automatically dispose of mail. More and more of it is making into mailboxes whether it's attaching dummy text to fool the filters or just making the pitch come in the form of an image and using good text to get that image to the user.

Are your mailbox counts filtered or unfiltered? If so, what strategy is used?

Current Problems

[herwin]

I've been noticing a lot of the pump and dump spam recently, partly because non-existant addresses associated with a domain I own have been used as return addresses. I've also recently learned that the address of an academic website I maintain on a university server was poisoned on at least one major DNS so people accessing the website were redirected to a fake site that attempted to take over their machine. It's really getting rough out there.

Use IM Techniques + Captcha

[cucucu]

I think 2 simple solutions can be combined.

1- As in IM, no one can email you if you have not emailed before.

2- For first time email, the receiving server could sent back a http://en.wikipedia.org/wiki/CaptchaCAPTCHA or a product of two large primes to factorize.
The captcha would be solved by the human sender, or the factorization problem by her MUA. Nowadays email is almost instantaneous, this would not add a noticeable delay. All the protocol could be implemented over current email protocols with little modification to existing software.

SPAM processing - server meltdown

[andrews]

Over the last couple of months the spam count on my mail server has gone from an average of 10K a day to over 20K a day. I had to turn off virus scanning and actually drop some of my spam filtering because the server couldn't process the mail fast enough. Now I'm having to upgrade the mail server hardware to handle the increased SPAM load. I'm sure I'm not the only one forced to do this.... SPAM gone from an annoyance to a financial problem.

Image to text

[Overzeetop]

If we could OCR these incoming images, maybe that would eliminate at least the deluge of stock pumpers. I made the mistake of setting an autoreply on my account recently (at the server end). Now I get a zillion bounce-spams using my domain (I monitor a catch-all) and randomly generated usernames.

I think law enforcement should be working harder at catching spammers (internationally, if necessary) than they are at tracking down copyright infringers. Not because of any moral posture, but because I suspect the total economic impact of spam is greater than infringing use of content. I also think the prohibition against cruel and unusual punishment should be lifted.

Hey, now that I come to think of it, maybe spam is a bigger issue than oil. I say we start invading countries with spammers!

bot wars

[MECC]

I recently saw a surge from about 15 spams a day to well over 200. So, I got a spamcop account, and changed my email to go there, and then from there I forward it to where I read my email. Now I'm back down to about 15 per day. Spamcop catches the rest, and they land in my 'held mail' folder, where it takes about 10 seconds to report as much spam as I want. In the email account where I actually read my email, I pushed up the sensitivity of the spam filters, and now I see maybe two a day in my inbox. I just report the rest to spamcop.

Maybe we need bots to fight the bots. Bot Wars. In a galaxy far, far, away...

Not so hard to catch

[pscottdv]

If law enforcement really wanted to catch these pump-and-dump spammers it would be easy to do. Just investigate the people who have purchased large volumes of the penny stocks being spamvertised. I doubt anyone cares enough to do it, though.

Oh, and Slashdot? If you keep hitting me with animated advertisements that cannot be closed, I will be moving to Digg.

Re:Not so hard to catch

[twotommylong]

Most pump/dump scams are now driven by identity thefted accounts. Steal identity, open an account, establish ACH-Out to a local bank, then an ACH-out to a foreign bank, buy 100 shares a day of the cheap stock for 3 months (multiplied by several accounts across several brokerages to stay under the radar), start the 'pump' hit your profit margin (less than 10,000 per account), then siphon the illicit accounts.

Last weeks press relating to Ameritrade and E*trade taking huge losses (22Million+ in writeoffs), points out that now pump/dumpers now can actually just 'steal' access to a bunch of legit accounts (HAXDOOR ID/password capture via a keystroker stealer), wait a couple weeks... then issue a bunch of BUY orders across the stolen accounts, use your pre-setup fake accounts to either SELL or SHORT the issue, ACH-OUT, and $$PROFIT$$, all in a matter of hours, and in fact, you don't even have to SPAM people (typically SPAM email doesn't work, but SPAMMING newsgroups and chatrooms does).

The press last week noted that it is _hard_ to catch these villians, as they typically launder their money through several layers of classic identity thefted accounts (online brokerages, then banks, maybe Ebay(buy/sell to 2 stolen identities) then PayPal, then foreign accounts. Once you're able to cross international jurisdictions and are not dealing with $millions (most scams like this net a couple hundred thousand USD per event, enough to make it worth setting up the one time network, let's say $10K of expenses in stealing accounts [fake ids, birth certs, SSNs, Drivers licenses] and setting up the seed cash for sales), the effort to catch a scammer is not worth it to the Feds, Interpol etc.

Email is a broken protocol

[Ignorant+Aardvark]

Let's face it, email is a broken protocol. It has no built-in safeguards against these kinds of attacks. The problem I'm seeing is that we're giving up and just saying it's inevitable, when it's clearly not. There's lots of good methods out there that stop spam cold in its tracks. Some sort of actually enforced sender ID protocol would be a good start. The problem is that everyone thinks the current system has too much inertia, and that it can't be replaced.

Bayesian Has Failed

[ObsessiveMathsFreak]

Well, I would suggest that we stick to the Bayesian approach but instead of tokenizing via Paul Graham's proposed algorithm, we could investigate tokenizing the text based on letter groups (divide 'words' into 2-3 letter groups and test for those frequencies) or even natural language parsing.

No. Bayesian filtering has failed, just like every other filtering method before it. Modifying it will not work. Adding OCR for image text will not work. Creating a new filtering mechanism will not work. The spamming will continue, more and more of it will get in.

Frankly, given that both processing power, disc space, bandwidth etc, are all increasing, I for one foresee the current spam/ant-spam arms race continuing indefinitely, with the amount of spam sent slowly increasing, and the amount caught by the filters being just enough to keep the amount of spam you get into your inbox at in and around a constant level. It's an endless cycle.

I say, turn it all off. All of it. The filters, the blacklists, the whitelists, Spamhaus, the lot. Let every single spam sent reach its destination, if just for one day. Let Joe Sick Pack finally realise the scale of the problem and just how much strain is being placed on mail servers. It will be both terrible and beautilful at the same time.

Then take off and nuke the site from orbit. It's the only way to be sure.

Email Weaknesses and Compromises

[Xaremos]

This is my own experience. I once got a library card, and gave my email address. Within a month I started receiving a huge amount of spam using my name, physical address, and/or email. I moved (for other reasons ^_^), and got a new library card. I set up an email address specifically for using as my library email. Same thing happened. In a few years I moved again, new card, new spam. I got a ticket. I gave my email address to the municipal court. Within a month, more spam. I worked for the state for a while. I set up an account specifically for that and had no mail until I had given the state the email address, and then I started getting spam. So, my thinking is, it is the government or at least my state government that has issues with security.