Spam Doubles, Finding New Ways to Deliver Itself

An anonymous reader noted that the times is running a piece on the rise in spam that you might have noticed in your inbox over the last 6 months. Gates promised the end of spam by 2006, but they figure it's doubled in the last few months. And best of all, a huge percentage of spam is now images that circumvent traditional text analysis.

Fuzzy OCR

[Conception]

There is a plugin for Spamassassin called Fuzzy OCR. It's false positive rate is pretty low and I haven't seen image spam for weeks.

http://fuzzyocr.own-hero.net/wiki/Downloads

One viable alternative

[A+beautiful+mind]

Greylisting. All MTAs should be RFC compliant, so this one hurts the broken MTA's only, but some find the delay this adds to the normal mailing process unworkable.

Fortunately you can whitelist known good servers and even use an AWL.

According to some university administrators I've talked to where it is deployed, 93.6% of all mail is blocked this way. The network is around 20k computers strong. No big mail losses reported.

Re:One viable alternative

[E-Lad]

Two weeks ago we implemented 3-factor greylisting here at the university I work at. We went from delivering 700,000 emails per day to 200,000 after turning it on, which works out to about 10 messages per day, per email box on average... certainly a more realistic number. The response from the users has been great (some even thought that our email system was broken at first because they stopped getting so much noise in their inbox/spam folder, the change was that dramatic).

Naturally, the work-around for spammers is to resend their spams, but they would have to do it from the same IP and with the same envelope from and to address. This means that their army of zombie'd PCs would have to work twice as hard if everyone greylisting was common practice, and likely a require a non-trivial change to the software on these zombies. We'll have to see how it pans out, but after watching my greylist logs and inspecting the spams which do get through, it seems that perhaps a few spammers have already caught on to this, but not all. Most of the spams which do get through our greylisting are subsequently caught by Spamassassin and RBLs, and come from open-relays (those still exist!)

Outlook 2003 blocks all of the image-spam I get

[SpecialAgentXXX]

I have had no problems at all using Outlook 2003 with Junk E-mail settings set to high. I have not seen 1 image-spam. However, when I fire up Thunderbird, the image-spam always shows up. I wonder what settings/algorithm MS is using because it works. My corporate E-mail server also blocks all spam. I have not received 1 spam of any type in my office E-mail account.

So is the problem really an increase in spam or incompetent admins who don't know how to setup their filters to block them? Yes, the size & volume of E-mails may have increased, but if you can filter them they will be deleted before they take up space.

Re:Outlook 2003 blocks all of the image-spam I get

[muckdog]

Do you realize how many valid emails are likely getting caught by your filters? Just because you're not seeing any spam doesn't mean your spam filters are doing what they are supposed to do.

Re:ban images?

[Eagleartoo]

Or you could just zip/rar/tar/lha your files and attach to the email.

Man you sound like a Karate Movie! =)

Bill gates IS the problem!

Bill gates IS the problem! All these botnets are using windows exploits to turn these boxes into spam barfing zombies. Do we see a trend here?!

Re:Spam is a non-issue for those in the know.

I divide my "trusted" contacts into two basic groups: people with a clue and people without. When I start receiving spam from the address that I give to clueless people, I change it and announce the change. I then shut down the offending e-mail address so any new mail coming in will bounce. This has the effect of "punishing" the entire clueless group without impacting the rest of my friends and relatives.

I also have public addresses that I use for correspondence with companies that I do business with. Surprisingly, I never receive spam on those addresses.

Works for me. I can count on one hand the number of spam messages I've received in the last year and that's without using any type of spam filtering. YMMV.

Re:Using Clamav against the images

[Giloo]

I thought about using such a repository for image spams, but the real problem here is to deal with the small differences between each image signature, and that's quite to hard to obtain only from MD5 signatures. When looking around the database FuzzyOCR can create, you won't see much more repetition, which clearly shows that using too "simple" hashes would just not be efficient. When I asked people working on FuzzyOCR they told me that they think a lot about how to find out if an image just looks like another without having to compare the complete file. There's a lot of work to be done for this though ... My idea is that we should start shooting spammers..

Re:ban images?

[TheRaven64]

Compromise, and whitelist. Anyone can send you plain text emails, but only people you have emailed can send you emails that are anything other than plain text. Since spam filters do pretty well on plain text emails, this should cut down the incoming spam a lot. If someone wants to send you an email containing an attachment and you haven't emailed them before, then all they need to do is first send one saying 'Hi, I want to send you some pictures, is that okay?' If you reply, then the mail server lets them through the next time.

Timing VERY Crucial In Pump n Dump

[cmholm]

And the problem is that it appears to work. For giggles, I've tracked a couple of these stocks. If you don't get too greedy, and get out before the spammers (presumably holders of large blocks of stock) dump, you can actually make a good return.

You should revisit your data, and reread the article. The "problem" is that the scammers buy the stock pre-scam, and dump immediately at the first sign of a price blip. When I plug whichever penny stock into Yahoo, the price spike has always been a day or two in the past by the time my server receives (nevermind by the time I read) the spam touting it, and hasn't lasted more than a few hours.

So if you, as a spam recipient, play along with their stock game, you can make money, while helping drive up the price for the spammers to make their profit.

No you can't, unless you are "lucky" enough to be among the first recipients of the spam, and act upon it immediately. Depending on the number of shares outstanding, it may well be your buy of maybe $500 to $1000 that triggers the scammer's sell order. Face it, this is a total non-starter. Research already suggests that the scammers are only netting about 5%, which means they're doing about as well as a successful day trader, with only a little less effort. Since you will be in a reactive mode, you will be putting in more effort with significantly greater risk.