Slashdot Mirror
What's With All This Spam?
coondoggie writes to mention a Network World article about soaring spam levels, confirmed now by researchers, IT managers, and security vendors. So, indeed, it's not just you: October was a spammy month. From the article: "Levine's assumption is this spike in spam levels is a result of a new generation of viruses and zombies that can infect PCs more quickly and are harder to get rid of. In its October report, messaging security vendor MessageLabs says the spike is largely due to two Trojan programs, Warezov and SpamThru. Others say a new breed of spam messages called image spam -- messages with text embedded in an image file that evade spam filters, which can't recognize the words inside the image -- is responsible." A note: I have no interest in penny stocks.
It's almost Christmas season. Let's just calm down for a second and think...why NOT have all the adverts delivered right my inbox? Instead of hunting for the best deal, I know where the BEST V1AGRA PILZ are immediately! WOOT
One thing that has always bemused me about the penny stock spams is the brokerage fees. If you pay, say, 1 1/2 cents per share in brokerage, (thus 3 cents total for buying and eventually selling), your 15 cent stock trade is 20% in the hole the minute you do it.
How much of it was Sen. Ted "Tubes" Stevens' spamming?
To be honest, I didn't think he could plug a computer in, but we all know that little intelligence is required to become a spammer, so...
Sorry couldnt resist :-)
One more then I will go.
In soviet russian the receivers of spam...
track down the dang spammers and break them. - I wish
What spam? I get maybe 1 or 2 spam emails in my actual inbox each week.
Oh, my spam folder? Over a hundred a day, but as I recall, Gmail has miscategorized maybe 2 or 3 messages as spam during the entire time I have used it. Unless I am expecting something, I rarly check the spam folder at all.
Need help treating your acne? Come here!
I use SpamAssassin and train it regularly against obvious spam. I've heard that this new crop of spam GIFs accompanying seemingly-normal text is mean to get through or even de-train Bayesian filters, but wouldn't SpamAssassin be able to recognize that one common thing about all these messages is an attached image file, and so consider that a spam marker? I read my mail as plain text in Gnus, and most people I correspond with avoid HTML mail and image attachments, so it wouldn't be a problem for me if GIFs or PNGs went straight to /dev/null.
That's why you should have an ISP that filters, then have filters on your box. Some of it still gets through but it is manageable.
Many of these stock spams have been going to people who have accounts at Ameritrade. It is likely that their email list has been stolen. See http://www.billkatz.com/node/77 for details.
Domain owners: Set up SPF NOW!!!
I set up SPF on my domains and the number of bounces from spoofed SPAM dropped dramatically.
Do not wait any longer, do your duty to the internet community: Set up SPF NOW!!!
No, I will not work for your startup
At work we use spam assassin with a gpl OCR plugin, however, it's getting foiled by intentional added noise in the images. I propose we come up with a way to detect these non-character elements (noise) in the associated spam images instead of just trying to OCR the text. The noise I've seen seems to be like it should be easily detectable.
"Begun, this Captcha Wars has."
-Yada
I barely get any spam either, but my ISP's mail servers are so choked with the stuff that real emails are being delayed by as much as two and a half days. So all of you who say "What spam?" need to be aware that, unless you only send messages to yourself, it's a real problem for everyone.
SPAM? I don't get any recently. Really. No SPAM. I don't know maybe filters got better.
What was the measure of this increased volumes of SPAM? Judging from filter logs or what?
I can't afford the CPU power to let it check all messages in SpamAssassin. So I have to ditch many of them based on Netblock, Country, IP address, invalid EHLO, claiming they're "localhost" or "friend". Only then, after binning about 99% of connection attempts, do the remaining have to run the SpamAssassin gauntlet.
Most of mine get binned with a 554 "You're not localhost"
Some spammer is using an email address of mine to send spam from. So I get the people writing back, asking why I am sending them spam. And another of my domains is obviously listed somewhere as a domain where guessing user accounts might be a good idea. So I get cqoiecn@mydomain.com, zqopqwn@mydomain.com, etc. It all just sucks. I'm currently getting about 10 spams per minute.
Get your own free personal location tracker
I'm working on a sender stores system for a distributed social networking software called Appleseed based, in theory, on Internet Mail 2000. I figured early on that since the system was distributed, which means that anybody could set up an Appleseed social networking "node", that it would suffer from the same problems as any mail system if I used the standard reciever-stores system.
I don't harbor any illusions about a sender stores system being able to eliminate spam entirely, but the reason I went with it, especially after reading this indepth critique, was that it created a system of accountability. You may not be able to stop spam, but you have much better tools for knowing exactly where the spam came from.
The disadvantage is that it becomes, ideologically anyways, incompatible with current email systems. I consider this a small price to pay to allow admins to have better control and protection over their systems.
The system I'm building is rudimentary for now, and only uses direct HTTP->HTTP connections to send notifications and retrieve messages, and won't have any of the fancy abilities that email has right now, but it's a start, and there's no reason that those features can't be added as it evolves. It's gonna be a big experiment, and I'm expecting a whole lot of unforseen issues, but this whole project is a big experiment, so I'm excited about the possibilities in general.
but i just recently had an older d-link wireless router that got infected with some thing that turned it in to a spam bot. it was using the router as the spam generation unit. sending out packets to and from the most random addresses. stuff that could no doubt be spam oriented. I captured about 100MB of logs pertaining to the whole issue. it even managed to block numerous updates to the firmaware. and would not allow itself to factory default. it's like it had a hwole other firmware implanted in it and was taken control of.
This rise in spam is actually an elaborate plan in order to get through John C Dvoraks spam filter.
At my ISP, there is even more spam in November.
I often get email that contains no advertising, contains no links, has no attachments, but is definitely not written by a human and does not convey any useful information. Often this is in the form of a short story. Sometimes it is in the form of an essay. In either case, it looks like it is generated with simple probablistic markov chaining. As such, my spam filter accepts it and I have to manually delete it. Is this just nuisance spam? What does the sender get out of it? Seems pointless, and that's pretty scary to me. I can understand being annoying so you can sell more of your product to idiots on the internet, but being annoying just for the sake of it?
How we know is more important than what we know.
The moron moderator who rated "Domain owners: Set up SPF NOW!!!" as offtopic needs to get a clue. SPF: Sender Policy Framework is used so you can filter out forged mail. The recent flood of stock-pumping spam used many forged domains in the "from", and if you filtered on SPF, you wouldn't have seen as much spam.
I might add, it would be nice for people to REJECT spam rather than BOUNCE it. When you bounce it, innocent domains get an email complaining about the forged email. With these spambots, it adds up quick! Doing a reject also allows legitimate senders to discover their email was not delivered.
Another user mentioned SPF. This is good. You configure a TXT record in your DNS, which says to the world, unless emails claiming to come from mydomain.com come from mail server a.b.c.d, or w.x.y.z, then bin them. It doesn't reduce your spam, but it prevents people being able to use our domain in the from address to send their spam, meaning you get fewer bounce-backs/user not found emails. (It can mess up forwarding though.)
But I haven't got it working in Postfix yet, so I can't benefit from other's SPF records.
Get your own free personal location tracker
Otherwise I'd be more than willing to scan the spam for the links to the beneficiaries websites and just block them or even turn chummer loose on them; but with pump-n-dumps their is no clear beneficiary.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Since most of this spam is sent by zombies, they care nothing about the success rate of the delivery. They just pump out thousands/millions of spam messages, hit each e-mail address once and move on. If it fails or appears to fail then it just moves to the next since single-digit success rates still result in thousands or millions of free advertising for the spammer.
As a result, using greylisting results in filtering a HUGE amount of spam out since it fakes a temporary failure from any new server connecting and waits for the server to try sending the mail again after a defined delay (according to the RFC, mailservers are supposed to try sending again if they get this temporary deferral).
I set this up on my primary server (ubuntu with postfix) and saw a 99% decrease in spam since none of the zombies care enough to try connecting again. By the time a zombie gets upgraded to be wise enough to evade this, it is likely to fail all kinds of other spam tests anyway (referring mainly to blacklists, though blacklisting can be extremely evil by nature).
If you run a mailserver, definitely look into setting this up. The wikipedia article explains the low-risk nature and exactly how it works: http://en.wikipedia.org/wiki/Greylisting
the spam is from security holes for the most part.
I run a small, but publicly traded company. Recently, I was contacted by a "PR firm" about "promoting the stock" of my company. Normally, I just hang up, but he mentioned a few "success stories" which seemed to correlate to some of the recent spam that had slipped through spamassassin. So I got his contact details and said since I was really busy "could he please email a summary of what we'd just talked about" (which he did).
I then called the enforcement division of the SEC and said I had the name and contact details for a company that was responsible for sending a number of unsolicited pump/dump email spams to me. I also told them that I had email from the spammer himself confirming that they'd done the deed. It wasn't some innocent bystander, but the people that actually SENT the mail. I was sent to a voicemail box and assured that I'd be called back. It's now about 2 weeks later and nobody ever called me.
And people wonder why there's so many of these vermin...uh, it's practically impossible to get caught!
I would like to see an "Ask Slashdot" article on why ISPs are not making full use of available anti-spam tools like SPF. Even blocking email from known dynamic-IP ranges would stop a lot of the zombie traffic. Nobody needs to send email from a box with an address assigned to Comcast or AOL or another consumer broadband provider. Why don't spam filters take advantage of this?
Spammers put garbage in the message body, subject, other headers, etc. in order to fool the spam filters - and unfortunately, they are often pretty successful.
But one thing they cannot change is their IP addresses. I wrote a script to parse my mail and save the IP addresses (or more precisely, their first two numbers - e.g., 213.186) that appear in spam messages, but not in normal ones. Then, I run another script on my incoming mail - which marks the message as spam if it contains a blacklisted IP address.
I update the list of IPs once in a while, and it works pretty decently. Right now, I have about 4,500 items in the list - each one corresponding to a range of 256^2 IP addresses - so it's about 7% of the whole address space (kinda scary). It blocks about 2/3 of spam, with almost no false positives. Most of my spam is also marked by the SpamAssassin (or whatever the mail server uses) and automatically moved into the spam folder, so I just run the script once in a while, and it "learns" on its own.
I've gotten more spam the last week than the whole of October. Stock pump and dump seem to be in vouge at the moment.
what's the source of the spam? windows boxes
what propagates without knowing? window boxes
who's to blame for all this? windows boxes
what's never gonna solve it? windows boxes
who's gonna get most of this spam? windows boxes
solution? no more windows boxes
spam, due to all the filtering, I'm starting a collection. You can watch my spam at http://www.watchmyspam.com/ RSS feeds and a mailing list are coming soon - we're still in beta right now...
creation science book
Hey... what about Spamhaus? Did they already close? If they did, that would suggest something, don't you think?
SPF is not actually the silver bullet you think it is.
What's With All The Spam Articles?
When ever an animal population grows to the extent that the critters becomes a nuisance we always put a bounty on their hides (or any body part that proves you killed one).
I say they should just pay people to kill these pests until they're down to a manageable level.
The race isn't always to the swift... but that's the way to bet!
I noticed a few SPF comments (can't reply directly to them due to the new /. "system" that seems to prevent threading).
I have not noticed that it helped at all in my case. I have a postmaster account set up with my host that catches all the replies to spams that are sent spoofing my domain. The number seemed to drop in the first week or so after I set up SPF, but it's now back up to an average of 500-1000 per day, and that's just the automated replies I'm seeing.
I assume the number of spams being sent is much higher, by orders of magnitude.
From the other comments, it seems possible that I'm misinterpreting the responses. Are they merely an indication of "success"? In other words, are they all just automated responses from the mail servers that correctly figured out (via SPF) that someone was spoofing my domain? This seems illogical, since I'm not sure why a mail server that figured this out would bother with an automated response. Such a policy would double the traffic associated with each "success", which is why it seems illogical to me.
In addition, of course, I see "out of office" and similar replies from individual mailboxes. Are these merely the indication of mail servers that have not implemented SPF on their (receiving) end? While that doesn't seem illogical, it seems just too easy. In other words, this issue has made me a little paranoid, and I just want to make sure I'm not relying overly much on SPF.
Are there other tools I could/should be using?
BTW, I've never, ever received a spam that spoofed a real domain of a large organization. I've seen lame phishes like paypal5.com, but never anything exactly like paypal.com, for example. It's hard to believe that the big guys are 100% successful with just SPF. Am I just being paranoid again?
Thanks in advance!
These are meant to poison filters. The idea being if they send a lot of messages with text they know that don't look like spam they can poison the filters and later use those known words/patterns to get real spam through the filter. There are likely other bits they are trying to poison as well with the non-SPAM SPAM messages.
"you just configure a TXT record"...
Can't do that. All of the places where I have registered domains don't allow the addition of TXT records in their web-based domain editors.
Why? Don't know. I have been asking for the feature 1-2 years ago and the request has been ignored.
Essay/short story spam--it's distributed travesty! http://runme.org/project/+travesty/
It's because of all the botnet / bot net spam of course!
I wonder how difficult it would be to detect if included images contain lots of text, and rate them as "likely spam".
There would be no need to really read the text. Any image that contains more than a certain number of "likely words of text" would get some score towards being spam.
Check out this link http://www.hawkwings.net/2006/08/01/mailapp-rule-f ix-for-image-spam/
It's for Apple Mail, but can be applied to any mainstream email app.
This site has a list of spam stocks, most are big losers. Too bad you can't short them... spamstockracker.com
I'm reasonably knowledgeable about working with CPanel (all I have to work with on a a reseller account. But it feels as though I need to RTFM for SMTP in order to decipher how to use SPF when most my domain's email originates via my home DSL (covad.net) and must be sent via smtpauth.earthlink.net as they filter port 25.
What would be a much better solution all the way around IMHO is if servers were set up only to generate bounce messages to local users, and if people would STOP using challenge-response systems to try and combat spam--they only create more spam for everyone else!
Javascript, cookies, flash, and ActiveX must be enabled in order to view this sig.
Yet another group of people all saying how they'd solve the current spam problem, by addressing the current problem. Let's make better OCR!!!!!!! Let's write "true AI" grade image recognition! When will it end?
Don't you people know that the bad guys can program too?
I'm amazed these anti-spam companies don't have their own private small armies of grey-hats trying to break their own products. I swear half these stupid ideas would just go away.
Personally, I think it's time we move to a completely different model, and do a bit of biomimicing.
We already have the equivalent of skin and cell walls, protection of networks and computers against outside pathogens.
What we really lack is an effective way of dealing with viral cells (computers). The fact that the internet continues to tolerate these hundreds of thousands of hosts I find rediculous.
The fact that most of these spam detection systems are held by private that don't share them is insulting.
I think what we need is a more real-time approach to spam and viruses and all bad behaviour, by just quarantining those machines (more or less) off the internet.
Something like this.
I've had 2 spam messages in my GMail Inbox today. I love GMail too, but catching 20 out of 22 spam messages for today isn't that great.
Ya'll should use ASSP. It rejects spam at the SMTP level so the sender gets a nondelivery message. This is nice for false positives because the sender gets notified. It also saves some bandwidth because your server doesn't have to send a message, it just sends an error code during the SMTP session.
Features:
- RBL
- SPF
- Bayesian
- Detects forged HELO
- Message delaying
- Automatic whitelisting of email addresses you send email to
- Email interface to reclassify spam/nonspam messages for training
BTW, SPF isn't that good. Spammers have adapted and many have valid SPF records.
http://assp.sourceforge.net/
There's still raging debate about the effectiveness of SPF in the war on SPAM.
While I agree that it will help prevent forgery of your own domain, it doesn't really prevent the spammers from setting up SPF records for their domains with really loose rules, thus circumventing the "I know who sent this" part of SPF.
And, not to be too negative, SPF still doesn't have a good solution for secondary delivery (BackupMX, email forwarders, etc).
If you're still positive on the technology, you might want to consider adopting Sender ID. Despite being a Microsoft-pushed tech, it does a "little bit more" in verifying both the "envelope from" and the "friendly from" are from a permitted domain. And, for waht it is worth, Microsoft recently put it under the Open Specification Promise.
One thing we can certainly all agree on: we'd like to see a permanent solution for the spam menace. >8(
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
Is there any chance whatsoever that we might somehow convince people to start telling the whole truth?
This description is almost a lie. This is not malware for PCs. This is malware for Windows. Not Linux, not 'PCs', Not Mac, Not Amiga, BeOS, Wind River, Next, BSD... whatever.
I'm not bashing, creating FUD or anything else. This Is Not A Trap. I'm just sick and tired of being painted with the same brush as Windows. The 'PC Virus' term is misleading; it makes my life a lot more difficult when I have to go to great lengths to explain to people that, actually, almost all of this malware only affects Windows and the software that runs on it.
Try to imagine how Bayer would have responded if the poison Tylenol scare in the late 80s were characterised in the media as 'poison headache remedy'? They would have freaked, and consumers would have, too. Journalists have a duty to report accurately and completely on issues that affect us, and this intellectual laziness is starting to look more and more like dishonesty as time goes on.
Crumb's Corollary: Never bring a knife to a bun fight.
I used to work for a spam company. They would buy 10 domains a week at $5/domain (reseller license). I setup SPF records for all of those domains because it would reduce the spam score at some ISP's if mail came from a domain with a valid spf record. We were making $20k/day, so the cost of buying a domain was minimal. SPF records aren't quite used the way they should be.
We use Antigen, and I've noticed 100% of the image-based stuff is a .gif attachment. I've nothing against the .gif format, however, I can't think of a single user who has used it for email purposes - everyone I know or can think of has, does, or will be using .jpg.
.gif attachment. This is under review in our office atm.
It'd be nothing to configure Antigen to just drop anything with a
Granted, it's not a very elegant solution...but it's simple and will work until a better filter or engine comes along.
Now - that is a web server, something fairly innocuous which I SHOULD be able to run if I want to.
Meanwhile, we have SPAM zombie Windows boxen spewing tons of crap out their ports, acting exactly like outbound mail servers, sending junk nobody wants, and the user doesn't know...
I would think the broadband companies would shut that down very quickly, if nothing else than to lower their bandwidth costs (or avoid overages on peering agreements, if that). I bet that if I set up a secure mail server and used that instead of the one they provide for sending and recieving email, they would have me shut down fairly quick.
Something is fishy here - are the BB companies in bed with the guys sending SPAM? On a side note - is it possible to appear as a SPAM zombie without sending SPAM, and instead be a webserver (ok, I am not serious here - I just think this two-faced hypocrisy is a load of crap - either give me open ports or enforce your damn TOS across the board).
Reason is the Path to God - Anon
Make sure to mark them as spam, it constantly gets better. :)
Compare this to my Yahoo or Hotmail inbox, both of which put the MAJORITY of spam into my Inbox. Last time I checked Hotmail, over 1000 spam in my Inbox, about 30 spam in the spam folder...
Need help treating your acne? Come here!
And this is a problem because... you can validate it, know that the spam really came from the spammer's own domain, and blacklist them. No, wait, that isn't a problem.
SPF was never about stopping spam, or about bypassing filters. It was about identifying forged senders at the domain level. It happens that there's a high correlation these days between the two, and in the long run knowing whether the sender is valid will be a useful piece of input in spam filters. And of course spam is what gets the headlines.
If you have some way of validating that the sender is who they say they are, you can do a number of things:
The main problem is that neither SPF nor DomainKeys has reached critical mass. Not enough places have implemented them, and implemented them strictly, for it to be worth checking. Not enough places are checking for it to be worth implementing.
Part of it is inertia. And there are still two main problems: forwarding services and road warriors. Both have solutions. You can have an SPF-aware forwarder, or one which implements DomainKeys. You can set up SMTP-AUTH on the submission port and remote users should theoretically be able to send using the home server (unless the network is brain-dead and blocks port 587 in addition to 25. And I have no doubt that they exist).
Whether SPF will prove useful in the long run is, I think, still up in the air. But saying that it's useless because spammers have "adapted" to it is missing the point.
The experts are implying that image spam is a new trick, and in a large part responsible for the increase in spam lately. However, it seems to me that image spam is a very old trick that spam filters are trained for. My spam filters block all messages that only contain images, for instance. I suppose that a mixture of text and images is what is effective, but from the filter's point of view, it doesn't matter much that the image is there. The spammers have already been using tactics like this, with or without images, for a long time. And in my little corner of the universe, image spam hasn't been getting through any better than spam without images.
Anyhow, I'm seeing a massive increase in spam since late September. While our filter is effective, the sheer volume has meant that many more junk messages are getting through. I think that what a lot of people fail to realize is that while the problem of spam can be dealt with effectively for personal email, especially if you take advantage of an online service like gmail, it's a totally different ballgame in the corporate world where spam is a tricky and costly problem. Work email addresses get published (thus harvested) for a number of legitimate reasons, and once mailbox is on the radar it seems like the rest of them start getting sucked in. Some employees can effectively ignore their junk boxes, but others simply can't -- it can be costly to miss an email. This reduces spam filtering for these employees to a simple ranking system: "here are messages that are probably legit and you should look at right away, and here are a whole shitload of messages that are probably junk but there might be an important one in there somewhere."
My organization is relatively small, and we don't benefit from hundreds or thousands of users training the filter. Thus when there's a large increase in spam that's getting through, it can take the filter a while to learn to block them effectively. During this time it's not uncommon for the occasional legitimate message to be sent to the spam filter by a user who doesn't notice it tucked into the 75 new messages in his mailbox, and this makes matters even worse. Finally, it's really hard to get users to send their junk mail to the filters, even when you've got it setup as a simple drag & drop procedure that's just as easy as deleting. If you can only convince a percentage of your people that training the filters actually works and is important, and you only have say 50-100 employees, then you may not have near the support required to really make Bayesian filtering work to its potential effectiveness.
Anyhow, over here we've seen a huge increase in spam, with some email-heavy users who used to get 10 in their inbox per day now getting 30 to 50 or more, and with potentially hundreds going to junk boxes. (this has decreased, I think things have settled down during the past week) We run a variety of filtering measures including header checks, DNS blacklists, and Bayesian analysis but just enough spam is able to get through on a daily basis to make things difficult. Back to my original topic: virtually none of the spam getting into user inboxes has been image spam, and only a small percentage of blocked spam is image spam.
Stats from last thirty days here: Messages Processed: 91588, Spam: 72881, 80%. A large portion of our legitimate messages are internal, which are not "filtered", but still counted by the system. A large number of spam messages are getting through, so I would conservatively bump that percentage up to 83-85%.
What an absurd problem. I'm going to have to put more effort into reducing its affect.
I did this. It didn't help at all. Maybe whoever is joe-jobbing me is sending all the email to servers that don't have SPF checking. Sigh.
As new versions of spam-filters get upgraded to detect text inside graphics and analyze it along with other text for spamminess, the spammers will, no doubt, start using "captchas" to make the detection harder.
Research on the detection will then improve (much of it -- in Open Source), allowing the spammers to defeat the captchas currently used on web-pages...
Information wants to be free, but there is something about keeping your designs secret from the enemy.
In Soviet Washington the swamp drains you.
I use greylisting since years, love it and recommend it to other people.
Unfortunately, the silver bullet is no more, the zombies got smarter.
The current stock scams all come through our greylisting, so the senders must have a retry mechanism of some sort.
Then you'll see spam levels drop. Most spam is distributed via windows botnets. Thanks Billg for all you've done for the world.
we will end no whine before its time
The result: a _dramatic_ decrease in bogus bounces from over 10k/day to about 60/day.
There's no doubt that enough MTA out there are implementing SPF verification and rejecting the spammer's bogus attempts. Enough to make the spammers clean SPF-protected domains from their "why not use this domain in the From: just for the heck of it" lists.
In my case it took minutes from the publishing of an SPF record, to seeing the sharp drop.
My story in detail is here: http://yendor.com/nospam/
My November stats look even better. I'm down to about 6500 spams/day (total, not just bogus bounces) none of which I actually see. This is down from the well over 10k/day October peak. Not sure this has anything to do with SPF though.
I also have a solution (hey, works for me) for the recent increase in pump-and-dump GIF attachments. I'm taking multiple signatures of all MIME parts of anything hitting my honeypots and mark anything matching them as spam-by-association for a limited time.
No more GIF attachment spam either.
Regarding the image spam that's on the rise, some spam filters are actually using OCR to turn the images into text and then scan them. There's a plugin for SpamAssassin called FuzzyOCR which does this. I'm testing it out and it actually succeeds on about half of the image spams I get (the other times, it crashes due to bugs in the various image converters that it relies upon).
It does jack the server loads up, as you'd expect. Fortunately, one of the features that it uses is that it keeps a hash value (and the spam score it got) for all of the images that it OCR's, so it only has to do each image once.
It is pretty surprising to see it work. With FuzzyOCR turned off, my test messages get scores of 2 or 3. With it turned on, the scores jump up to 20-30.
The major cause of all the spam is the .gif/.jpeg style spam. There has been a significant increase of this "newer" spam while the levels of older text type spam are still the same.
What I found interesting (and was unable to locate) was some values a slashdotter posted for his environment. It was something like 8000 spam in OCT 2004 and 56000 spam in OCT 2005. It would be interesting to see what his OCT 2006 values were (If your reading this).
As the article indicated the Zombie farms are going to be the largest problem. Using a form of greylisting to stop or throttle connections will allow you to remove much of the spam prior to it hitting your filters. For those who do not know... A zombie farm is basically a bunch of infected computers that can have commands run remotely against them that they will perform such as a script that generates SMTP traffic. In this case spammers will pay these zombie farm controllers currency to shoot out billions of spam messages.
Anyway, Until we make it illegal to produce/profit of unsolicited email its just going to keep climbing.
So how much SPF protection do I need?
I use SpamAssassin and train it regularly against obvious spam. I've heard that this new crop of spam GIFs accompanying seemingly-normal text is mean to get through or even de-train Bayesian filters, but wouldn't SpamAssassin be able to recognize [snip] ...
/dev/null in the future.
Yes and no. I use SA on my mail server with the additional SARE plugins. SA does recognize email with an attached GIF but really, it cannot detect much else beyond that. An attached GIF on a seemingly spam-like message (on my system) counts as 1.3 out of 6.0 (spam threshold) points. That's the SARE_GIF_ATTACH rule firing but beyond that, if that's all the message contains, there isn't anything for SA to count against that message except RBL and reverse DNS checks on the sender.
On the flipside (and maybe I'm too generous in my scoring) stuff that gets into my Spam folder (6.0 points or higher, less than 7.0) is mostly text spam where the BAYES_99 rule fires. However, no other rule is violated and the message gets 6.0 points. I wonder if BAYES_99 is foolproof enough where I can score it 7.0 and will get auto-dumped to
Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
Postini isn't perfect, but it's good. It blocks something like 99% of the spam. Best of all for a small shop like mine with just a few mailboxes, the constant barrage of attempted deliveries each day never get on that network pipe I'm paying for. They don't busy my server with oddball filtering schemas or neural network comparisons (which is one technique I tried that was effective but processor intensive). Everything is very peaceful now my servers.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
August 2005:November 2006:I really don't want to get rid of them, as they have otherwise spectacular service with ginormous amounts of web space and transfer limits for very very cheap. I think they allow me to use external DNS services, but who wants to go through that hassle for any significant number of domains and subdomains.
Anyone have suggestions for additional ways I can motivate my provider to provide support for SPF? Case studies/stories of other ISP's doing so would probably work best.
Barring that, I'd take suggestions for good free/cheap DNS services.
I use aliases for every different website, forum, and merchant I sign up at. Like cdw@mydomain for CDW purchases, etc. It's very interesting to see which address is being used to get spam to me... which worries me because what if they made off with the rest of my account info? I always contact the vendor and explain to them that they've been compromised but they never believe me or I get a knucklehead support person who isn't capable of problem solving.
At least I know who the offenders are and can delete the alias, thus eliminating that avenue of spam.
I use crm114.. It all goes to my spambox...
I havent had to retrain it in at least 2 months.
I left them because of this and other inflexibilities.
- Can't add custom DNS records
- Can't have a simple user name (I hated their cryptic and long home-dir scheme)
- Most importantly: can't run filters on the incoming mail servers
I switched to dreamhost who for the same <$10/month price also doubled my storage to 4GB (and rising each month) and seem to be so much more friendly and flexible to reasonable requests.-- SiL / IKS / concerned citizen
Wait.. if we devise a way of reliably defeating text-images in spam, wouldn't that help the spammers by giving them the tools to defeat text-in-image used by free email sites and the like? It's seems they're using our tools against us... again.
I get anywhere from 10 to 100 of these per day.
I got this rule somewhere, and it seems to work for filtering out the gif spam for me:
If the "content-type" header contains "multipart/related", classify as spam (and not in address book, previous recipients, etc).
Don't know exactly what this implies, but seems to be working for me, otherwise I would be getting tons of gif spam that passed my server's spam assassin and my e-mail client's bayes filter.
It could be, but all the spam I'm seeing is from countries other than the US. I do get one or two spams from the US a week. This could be in part due to us using blacklists, and those lists being more effective at blocking US spam - I don't know. But I've been building an access list for our mail server and all the ip numbers are from places like Russia, China, Poland, Germany, France, etc. Since we don't do business in general with other countries I can block them - but I know this isn't a good solution. But it is all I got right now. And most all of it is these image spams - though not all. Maybe these are zombied machines as well - but it just seems more like it is from the source spammers. Guess I have no reason to believe that.. heh.
Reputation systems that assert "x is not a spammer", perhaps with some delegation, is the only long-term answer. Blacklisting was a decent heuristic for a while, IMHO, but it is now approaching end of life.
But whitelisting will require authentication. Are you openpgp-signing your mail yet? If not, then you're part of why whitelisting can't take take off yet. You're part of the spam problem.
BTW, one thing I don't get about image spam, is how they get the receivers to look at the image. When I receive a spam, especially one with a lot of nonsense text, it doesn't even occur to me to examine the attachments. It's not so much paranoia about a libpng buffer overflow or something, as it is lack of curiosity.
All I can think of, is that there is some popular email client out there, which shows attached images automatically whether or not the user expressed an interest in the attachments. If that's what's happening, then that email client needs a patch.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Domain owners: Set up SPF NOW!!!
What the fuck is SPF?!?!?! Tell me NOW!!!!!
Why bother analysing the images? Block all email with attached images. Whitelist your friends and usual correspondents in case some insist on using "stationery" or sending images.
Translate rules as necessary for your favorite mail client.
0 1 - just my two bits
Just disallow anything that isn't text/plain content type and there you go, no more image spam. Stupidest move ever to allow HTML in e-mail.
:D
On my own mailserver I discard any text/html messages, and mixed messages get the text/html bit stripped out of them. So sorry if I didn't get your important e-mail, send it to me in plain text, without the cute corporate background, without the cute corporate mandated font, and without the 10 attachments that make up the various bits of your signature and corporate disclaimer. And do include a text/plain representation of your e-mail, or I won't receive it, and will not now, or ever, give a crap
Works fine.
There is no sig...
I manage the email department for a large financial institution. We have seen our spam volumes quadruple in the last 3 months, to over 70,000,000 spam messages per week. However, being a large financial institution, we have $$$ to spend, so we purchased Ironport Anti-spam this past spring. The amount of email (mostly legit) going through our filters in this same 3 month period has remained completely flat - even with the increase of spam on our perimeter, no more is getting through than 3 months ago. For those of you struggling with the spam situation and have money to burn, you may want to look into Ironport. -Lokatana
X'mas!
I don't mean to be selfish here but there are other factors as well...
Leading here on Rogers is the Mail servers being switched over to Yahoo...
We all know what kind of privacy policy THEY have don't we.....
I NEVER got spam before this, and then I started getting fifteen a day...
Now It's between twenty to forty a day...thank god for filters but what
about the bandwith it's wasting ?! I'm seriously considering sending them a
charge for sending me this unsolicitated e-mail from their Parent/child
spam companies...I complained of course back then, and got the usual "do this to help protect yourself"...
But what happens when your ISP is the main factor in your e-mail addy being passed around ?!
Cheers
End of Line.
So i guess you can imagine why i moved my domain OFF the _free_ webhosting that comes with my 1& DSL towards a hoster that actually lets me edit my zonefile myself...
...but the morons who actually BUY spamvertized products.
As long as there's ONE SINGLE PERSON on the 'net who follows the stock advice, buys the phenomenally new herbal shlong enlargement pills, etc, the criminals who want to sell them will keep giving jobs to spammers.
Solution:
1. make it illegal to advertize by spamming. make it equally illegal to pay others to do it for you.
2. make it illegal to buy products that have been advertized for in any way thats not legal.
3. make sure that any civilized country does the same.
4. hit them hard.
bye,
[L]
This is really interesting.
Could you post this log somewhere? Rapidshare or something?
I'm aware of a UPNP buffer overflow which could result arbitrary code installing spambots, but I've never heard of anything like this in the wild.
We get masses of backscatter spam (looks like a joe job, but it isn't intentional). The most effective seems to be to check the recipient at smtp time and reject the message. SMTP time delays help some, but not enough by themselves. Then run the remaining two percent through SA with lots of inputs and we get maybe 0.1% of incoming spam delivered at this point.
Please stop bouncing spam to forged senders. We can live with the aimed spam, but all that backscatter is a huge waste of net resources.
MB
I am a viral sig. Please copy me and help me spread. Thank you.
Approx. emails checked 38,313 100.00% Approx. emails blacklisted 25,583 66.77% Approx. emails whitelisted 9,810 25.60% Approx. emails passed check 2,920 7.62% Spam Rate - 89.76% --- #1 Keyword Filtering 65.03% 57.50% #2 Recipient Blacklist 24.95% 34.89% #3 SURBLs 11.83% 11.48% #4 DNS Blacklists 6.60% 6.62% #5 HELO Blacklist 1.08% 1.20% #6 Reverse DNS 5.14% 0.82% #7 Greylisting 0.25% 0.70% #8 SPF Test 3.25% 0.64% #9 Attachment Filtering 1.40% 0.17% #10 External Agents 1.12% 0.13% #11 Sender Blacklist 0.04% 0.04% #12 Active Directory Integration 0.00% 0.00% #13 IP Blacklist 0.00% 0.00% #14 User-Defined URL Domain Blacklist 0.00% 0.00% -- and for me.. SPF only contributes 0.64% to blocking spam..
I've just started collecting spam statistics based on a few modifications I made to my presence on the internet. Basically, I was getting about 100 spams per night. Now, after altering my email address when I post to newsgroups to include "nospam", and changing the mailto tags on my webpages to images of my email, my spam has gone down to about 30 per night - and still falling. I also access my email server side, before downloading (no broadband you see), and select unwanted messages to train SpamGuard - and this has helped a lot!
My web domain.
Indeed, my gmail account has seen a DRAMATIC rise (something on the order of 150+ per day, from around 30 per day) in spam arriving in my spam folder. The occasional 1 or 2 still makes it through to my inbox, but most of those are foreign language, usually asian languages that I can't read anyway. It seems like a huge proportion of them are joe job spam bouncing back for my domain, as well. Annoying that the spammers have picked up my domain as a joe job domain, but what can ya do?
Here a procmail recipe set to catch the gifspams: anti-gifspam
Hey, sounds interesting. I implemented something similar when I was working on handwriting systems and wanted to send "handwritten emails". The email was just a notification with a URL to the handwritten page.
It worked pretty well. One big plus was that the sender could tell if and when the message had been read! (or at least viewed)
Obviously each sender had to have access to a server, which is a downer in some cases but should be fine for a web-based system.
Best of luck with your project.
rt
yes, you can combine an external DNS provider with 1and1 - I use ZoneEdit.com, and it allows adding SPF records.
Microsoft must take some of the blame for this. Windows' lack of security has led to these huge Windows botnets, and the only way to solve the problem is for these boxes to switch to a more secure OS. If Vista has really fixed the security issue as Microsoft claims, maybe they should be giving it away free to solve this problem which they caused...
I knew that would be the reponse from most of you. 'What spam?'.
Morons.
No one CARES if we techies can get our spam filters working - that is NOT the case for most of the world and that does NOTHING for the amount of bandwidth being sucked up by these parasites.
Seriously, slashdot could basically do keyword comparison of articles of the last few years and simply repost the wannabe commedians along with the 'What - never happens to me'. The posts would be just about as informative. This site has become a place for people with no lives to post the same crap over and over again. You seldom actually ANSWER the question posed by people or response to what the freaking article is about. It's stupid jokes or microsoft bashing - and then you chuckle to yourself for being funny - if any of you WERE funny, at least it would be amusing to read.
AND to NOT be one of you people:
I've certainly noticed a spam spike - also a spike in the payload containing a virus, though that has subsided. I'm still trying to understand why we allow this to go on. I guess the problem is bandwidth keeps getting cheaper - I just don't see the ISPs not taking draconian steps to correct the problem if they were bleeding cash from it. I suspect that as long as bandwidth cost keeps dropping we can expect the big players to do nothing - it's cheaper and easier than fixing the problem.
People actually see spam touting a stock and buy it.. (??).
Here's some info (from early October) showing that the spammers do influence trading and also that their claims are totally bogus (just in case someone actually believed them.. yikes).
We could think specifically what is our main set of email senders and use filters based on that.
An example: I work for a Portuguese university newspaper.
We have a lot of domains which go directly to the same inbox, as we have a big exposure we get really a huge amount of SPAM, so we are thinking about rejecting any email if it does not fulfil at least one of this conditions:
1 - The sender being at our email adress agenda
2 - Have written in the sender email '@yahoo', '@gmail' or '@hotmail'
3 - The sender having a '.pt' domain in their adress
4 - The message being written in Portuguese
This is really effective, and is dramaticly light.
No image processing, no baysian filters, no need to check IP, no needing to resend the message
1 - The majority of the people to who we communicate are known of us, so it is likely to be in our agenda
2 - The majority of people who have non-institutional email have it or in yahoo, hotmail or gmail.
3 - As wew are a Portuguese newspaper we beleive the main set of our senders have '.pt' domain email server
4 - If a stranger who doesn't fulfil any of the above clauses tries to reach us via e-mail it is likely to do it in a well written and clear Portuguese, so the filter will accept them.
NOTE : We reject all messages execpt it they fulfil at least one of this conditions described above.
English is the most popular language in worlwide email comunications, so as a consequence more than 50% of SPAM is written in English, so it could be a tool for a non Eglish native speaker to use within one anti-SPAM filter.
Being a newspaper we want to receive emails from strangers but almost 100% sure they fit on at least one of those conditions.
http://www.mailwasher.net/
Its a band-aid, but a very useful one for users of pop mailboxes.
Sender Policy Framework. Almost like a reverse MX record that states what servers/IP addresses mail for a specific domain can come from.
One of the most interesting parts about it is the availability of the 'exists' function. By placing an 'exists' statement in your spf record and using some of its variables, you can actually record in your DNS logs what IP addresses are sending email from your domain. You can also see what users are sending from what IP addresses [and what accounts are bogus]. This only works when some mail server receives a mail from your domain and they ARE checking SPF records though. Mail servers that are not using SPF will not generate these specially formed DNS queries.
Interesting information. It will allow you to study email regarding your domain allowing you to enforce SPF [instead of just using the ~all suggestion] when it will least affect your customers.
No wonder you're an AC.
As we all know, the spam problem was fixed when congress passed the CAN SPAM act.
Yeah, whatever. Setting up SPF might (or might not) be helpful for something, but it won't do a thing to decrease the volume of spam being sent.
I am collaborating with the Zorean team on the EmailXT project, a new protocol for email that, among other things, allows everyone to switch to the new system at their own pace: you don't need to wait for the whole world to switch before you can use it. You need, of course, at least another EmailXT user to correspond ;) It's not a painless transition as you might have imagined, as you'll have to use two email clients during the transition phase. But you can use both clients on the same email address.
EmailXT features seamless encryption and compression, self-updatable address books, tasks and events, no spam and viruses (ie. no way to perform unauthorized bulk emailing), file sharing, among others. Read more at the site. Warning : Pre-Alpha stage.
Ah, and EmailXT is an open, patent-free protocol. The first specification draft will be published before the end of the month...
Sorry for the plug, but I guess I'm still on topic.
For both the audience that the media is writing for, and for the media themselves, a PC *is* Windows. They understand that. When I tell people that my computers (all linux or BSD) have never gotten any viruses, that they've never (to my knowledge) gotten taken over or infected with anything, that I don't have to run antivirus programs, they look at me like I have something wrong in my head unless they already know a lot about computers. The general public has accepted viruses and trojans as the cost of doing business with Windows.
Nostalgia's not what it used to be.
Have you talked to CERT about this? I'm sure they'd be interested. What about D-Link itself?
Ignoring for the moment your admission of guilt, how did you make that $20k/day?
Who was paying you?
1) I use spamc/spamd instead of invoking spamassassin directly - big save on a busy server.
2) Limit the size of emails being scanned - spammers usually use small messages since larger ones are more expensive (cpu and network) to send. This will probably change someday since botnets reduce this cost.
3) Limit the number of spamc/spamd invocations to 1/user via a procmail lockfile also double locksleep to keep to make this even nicer.
4) Limit the number of spamd children (done by default in most distributions).
Here's my /etc/procmailrc -
But if you train these messages as spam, and they send similar messages with links, those messages will actually be more likely to be recognized as spam.
What they're more likely to succeed at is not detraining the filters but overtraining them. By sending innocuous text and getting it trained as spam, your filter is more likely to mark normal mail as spam, thus increasing the level of false positives and resulting in a filter which marks spam, but isn't terribly useful.
At least, that's the theory, and the more likely goal. I use SpamAssassin, and I generally train on these anyway. I don't see many false positives, and of those I do see, very few (if any at all in the past year or so) have been attributable to the Bayesian portion of the analysis.
YMMV.
I'm a domain owner preparing to set up SPF.
I still believe can still help, even though you're right. For any given person, the spam goes from the spamming (probably zombie) machine to that machine's ISP, then to the destination machine's ISP, then to the destination machine. Ordinary mail usually hops through an "administered mail relay" twice, and each of those hops is an opportunity to kill it with SPF. There has been much made of ISPs who know their users are spammers, but given that we're talking about zombies here, I don't think the ISPs of those zombie machines are spam-friendly. If SPF were pervasively used in this situation, it would cut spam traffic by 1/3 to 2/3, simply by dropping it on the floor sooner. Of course if SPF were pervasively used spammers would be seeking some other way to get their messages out.
I have a forwarding domain with DynDNS, so my mail takes 1 extra hop, and has 1 extra chance to get killed.
I believe on of my mother's friends has an infected machine, because a month or 2 back, I saw an upsurge in bounce notices being sent back to me. I'm getting Joe-jobbed big-time. I've looked at the headers, and not only is the 'originator' not a valid ID at my domain, the whole things is forged. In the past week I've gone to the trouble and expense to get Mailhop Outbound at DynDNS, have set up all of my domain's email to go through it, and next will set up an SPF record. Whoever respects SPF can easily detect and kill this stuff. I've done my part.
The living have better things to do than to continue hating the dead.
So I don't really know what any of you are talking about.
October was a spammy month? Hrm. My condolences.
No bayesian training, no spam filters, no whitelists, no blacklists, and my MX is wide open: no DNS blacklists either.
Oh well. My condolences for those of you who can't use one-off aliases and keep perfect control over who has which alias and where.
That's all well and good, but I find it frustrating that with all the talk about SPF, I have yet to see any recommendations on the SPF level.
I mean, is SPF 15 good enough? I have fair skin, so I've always used SPF 45.
Also, which brand is preferable? Coppertone?
Needless to say, I get a lot of spam in the queue. I check the contents of the spam to set up filters to detect and autonuke frequently occuring phrases or website addresses.
In the last month, I have noticed a serious rise in spam that is a list of URLs that are hosted on wikis and forums that obviously have nothing to do with the content of the spam (usually it's technical-related wikis and pr0n- and drug-related spam). Here's an edited sample:
http://example.com/wiki/lib/exe/fetch.php?w=120&h= 120&media=8-somedumbchick-nude.html
I've been notifying admins of the sites being abused when I have time (and when there is a contact address on the site). Some respond and some don't. One interesting response - "I'm surprised at how sophisticated the bot was - it arrived, appeared to look around, tried to edit, failed because it wasn't logged in, created a user, then proceeded to post things. I'll have to set up some kind of CAPTCHA."
Keep an eye on activity on your wikis and forums. And please don't require creating an account to get access to your contact info!
When SPF is used it prevents spoofed mail from reaching receipients' inboxes. It significantly reduces the amount of bounces that a mail server sends when a spammer tries to send spam to non-existant email addresses. It also means that spammers have less domains that they can spoof, which does make their job harder.
I know this is wishful thinking, but if all domains published SPF and all email servers enforced SPF, the spammers would have to start buying lots of domains.
No, I will not work for your startup
no, i hadn't gone any of those routes yet. i still have the modem in it's crippled state. you can plug it in and fire up ethereal and watch the show. good times. I think what ever it was may have tried to reach out to the three machines I had on the network and I was worried that it rooted linux and possibly got through to the bios.
perhaps i'm just being overly paranoid, but better to err on the side of caution, i suppose.
It seems like I read about a DHCP exploit for D-Link routers some time ago. I'd contact a variety of groups, explain the situation and ask if they'd like to see the packet capture or possibily even the router (if you don't mind loaning it out). The contribution could be useful if it was a one-off exploit that hasn't been seen by many eyes yet.
This is a pretty big deal if you're right. I'd like to keep track of this, you got a blog?