What's With All This Spam?

coondoggie writes to mention a Network World article about soaring spam levels, confirmed now by researchers, IT managers, and security vendors. So, indeed, it's not just you: October was a spammy month. From the article: "Levine's assumption is this spike in spam levels is a result of a new generation of viruses and zombies that can infect PCs more quickly and are harder to get rid of. In its October report, messaging security vendor MessageLabs says the spike is largely due to two Trojan programs, Warezov and SpamThru. Others say a new breed of spam messages called image spam -- messages with text embedded in an image file that evade spam filters, which can't recognize the words inside the image -- is responsible." A note: I have no interest in penny stocks.

SPF

The moron moderator who rated "Domain owners: Set up SPF NOW!!!" as offtopic needs to get a clue. SPF: Sender Policy Framework is used so you can filter out forged mail. The recent flood of stock-pumping spam used many forged domains in the "from", and if you filtered on SPF, you wouldn't have seen as much spam.

I might add, it would be nice for people to REJECT spam rather than BOUNCE it. When you bounce it, innocent domains get an email complaining about the forged email. With these spambots, it adds up quick! Doing a reject also allows legitimate senders to discover their email was not delivered.

what's with all this complaining?

[wardk]

what's the source of the spam? windows boxes
what propagates without knowing? window boxes
who's to blame for all this? windows boxes
what's never gonna solve it? windows boxes
who's gonna get most of this spam? windows boxes

solution? no more windows boxes

SPF Does Not Seem to Work

[carpeweb]

I noticed a few SPF comments (can't reply directly to them due to the new /. "system" that seems to prevent threading).

I have not noticed that it helped at all in my case. I have a postmaster account set up with my host that catches all the replies to spams that are sent spoofing my domain. The number seemed to drop in the first week or so after I set up SPF, but it's now back up to an average of 500-1000 per day, and that's just the automated replies I'm seeing.

I assume the number of spams being sent is much higher, by orders of magnitude.

From the other comments, it seems possible that I'm misinterpreting the responses. Are they merely an indication of "success"? In other words, are they all just automated responses from the mail servers that correctly figured out (via SPF) that someone was spoofing my domain? This seems illogical, since I'm not sure why a mail server that figured this out would bother with an automated response. Such a policy would double the traffic associated with each "success", which is why it seems illogical to me.

In addition, of course, I see "out of office" and similar replies from individual mailboxes. Are these merely the indication of mail servers that have not implemented SPF on their (receiving) end? While that doesn't seem illogical, it seems just too easy. In other words, this issue has made me a little paranoid, and I just want to make sure I'm not relying overly much on SPF.

Are there other tools I could/should be using?

BTW, I've never, ever received a spam that spoofed a real domain of a large organization. I've seen lame phishes like paypal5.com, but never anything exactly like paypal.com, for example. It's hard to believe that the big guys are 100% successful with just SPF. Am I just being paranoid again?

Thanks in advance!

Tell the truth

[grcumb]

Is there any chance whatsoever that we might somehow convince people to start telling the whole truth?

Levine's assumption is this spike in spam levels is a result of a new generation of viruses and zombies that can infect PCs more quickly and are harder to get rid of. In its October report, messaging security vendor MessageLabs says the spike is largely due to two Trojan programs, Warezov and SpamThru.

This description is almost a lie. This is not malware for PCs. This is malware for Windows. Not Linux, not 'PCs', Not Mac, Not Amiga, BeOS, Wind River, Next, BSD... whatever.

I'm not bashing, creating FUD or anything else. This Is Not A Trap. I'm just sick and tired of being painted with the same brush as Windows. The 'PC Virus' term is misleading; it makes my life a lot more difficult when I have to go to great lengths to explain to people that, actually, almost all of this malware only affects Windows and the software that runs on it.

Try to imagine how Bayer would have responded if the poison Tylenol scare in the late 80s were characterised in the media as 'poison headache remedy'? They would have freaked, and consumers would have, too. Journalists have a duty to report accurately and completely on issues that affect us, and this intellectual laziness is starting to look more and more like dishonesty as time goes on.

Whitelisting is the only long-term answer

[Sloppy]

Reputation systems that assert "x is not a spammer", perhaps with some delegation, is the only long-term answer. Blacklisting was a decent heuristic for a while, IMHO, but it is now approaching end of life.

But whitelisting will require authentication. Are you openpgp-signing your mail yet? If not, then you're part of why whitelisting can't take take off yet. You're part of the spam problem.

BTW, one thing I don't get about image spam, is how they get the receivers to look at the image. When I receive a spam, especially one with a lot of nonsense text, it doesn't even occur to me to examine the attachments. It's not so much paranoia about a libpng buffer overflow or something, as it is lack of curiosity.

All I can think of, is that there is some popular email client out there, which shows attached images automatically whether or not the user expressed an interest in the attachments. If that's what's happening, then that email client needs a patch.

Re:Greylisting helps

[MoxFulder]

Greylisting might be very effective for now, but of course the "fix" is quite easy: the spammers can reprogram the zombies to retry after temporary failures. In that case, greylisting won't slow them down more than proportionally to the rate at which they encounter temporary failures... I'd say a maximum rate of maybe 1 in 3 would be acceptable before legitimate email would be impacted too severely.

1/3 less spam is still waaaaay too much spam. I'm afraid that even though greylisting is a smart trick, it's not sustainable. Then again, I'm beginning to believe there's *NO* long-term way to slay SPAM, that it will be a permanent back-and-forth battle for years or decades.

Re:I agree that SPF appears necessary

[DrSkwid]

> Nobody needs to send email from a box with an address assigned to Comcast or AOL or another consumer broadband provider.

Please don't tell me what I do and do not need to do.

Not "detraining"

[Kelson]

But if you train these messages as spam, and they send similar messages with links, those messages will actually be more likely to be recognized as spam.

What they're more likely to succeed at is not detraining the filters but overtraining them. By sending innocuous text and getting it trained as spam, your filter is more likely to mark normal mail as spam, thus increasing the level of false positives and resulting in a filter which marks spam, but isn't terribly useful.

At least, that's the theory, and the more likely goal. I use SpamAssassin, and I generally train on these anyway. I don't see many false positives, and of those I do see, very few (if any at all in the past year or so) have been attributable to the Bayesian portion of the analysis.

YMMV.