Slashdot Mirror
Spam Doubles, Finding New Ways to Deliver Itself
An anonymous reader noted that the times is running a piece on the rise in spam that you might have noticed in your inbox over the last 6 months. Gates promised the end of spam by 2006, but they figure it's doubled in the last few months. And best of all, a huge percentage of spam is now images that circumvent traditional text analysis.
Gates promised the end of spam by 2006. He still has one month to succeed. It is still possible. I'm waiting. I really want to see that. Thanks, Bill.
-- Rastignac was here.
The picture spam not caught by the gmail spam filters that I receive all look very very similar. Randomly generated sentences with buzz words and a "picture text" haussing a certain stock.
I'm very surprised these all come through the gmail spam filter. By now it should be easy to identify them.
Competent sysadmins are expensive, and the idea of, say blocking outbound port 25 would never occur to them, or is brushed-off for stupid reasons.
The only way out is to exerce pressure on those network owners and the best way to do so is by simply blocking them left and right until they are left with nothing but their huge intranets.
Good for you. Personally I'd rather just email one or two images to the inlaws instead of dicking around with a web based system.
Now, dropping emails that contain images as inline attachments might be a good idea. As would droping any and all emails with a Content-Type of text/html.
Interesting how things come to pass. Websites like this one and many others have used text-in-image capchas for a couple of years to avoid spam bots. Now, spam bots are using text in images to avoid filters. The spammers have caught up for now, but just wait another couple months/year and anti-spam technology will catch up
Yeah, cuz it's not enough that I can no longer relay e-mail directly from my machine. It's not enough that I now have to have reverse DNS otherwise my e-mail gets rejected. It's not enough that e-mails that aren't SPAM get dropped/flagged. It's not enough that many e-mail providers drop useful attachments and scan so intrusively into them that I need to encrypt them if I want the e-mail delivered.
Let's take away yet more functionality due to spam! That's a great idea. Seriously, I hate SPAM but the zeal to stop it has ruined many useful features of SMTP.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Who's "they," and how exactly is this ban going to be enforced?
If I really want to share pictures I'll put them on a website or Flickr or something.
At which point, we might as well go back to taking pictures on film and sending copies through the mail. [rolls eyes] Practically all the picture-sharing services are an enormous PITA, and not everyone wants to put up every picture they want to show someone on their personal site.
For corporate servers, I agree, the idea of a no-image-attachments policy makes a lot of sense. For personal use, it's not going to happen, nor should it.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
"The new breed of spam -- call it Spam 2.0"
No, no, no... please, please don't!
Good to see them documenting the rise of email spamming, but I'm suprised the article doesn't talk more about the spammers who are running amock across websites rather than people's inboxes nowdays. While the problem of email spam is still growing, it has pretty much always been there and the public are fully aware of it (with mainstream services such as Gmail offering spam protection, etc), the huge rise at the moment is the amount of web applications and sites that are being exploited. Take for instance Youtube (with many of the most popular videos having their comment threads spammed hard), or any mainstream forum software (most commonly phpBB), where spam bots are continually developed to get around registration methods (including OCR) and then spam the forum with either their profiles or posts. Not forgetting the guestbook spamming which many of the people behind these use for SEO purposes, so they can get phising or product selling pages to the top of search engines (even if it is for a day or so before they are penalised/blacklisted).
While email spamming is still the main problem, it would be nice to see the mainstream media realise that there is a growing danger in people exploiting community websites nowdays, because all it takes is for one of these operations to install enough spyware/get traffic from sites/top search engines for banking/insurance etc websites, then they will start taking consumer's data faster than spam would - all without the majority of customers realising, because they think the main threat is in their inbox.
Business Voyeur
Do any large email services compare all email over the entire system to check for spam? If gmail receives 4,000,000 messages from the same IP in 5 minutes, each with the same image attached; you can be sure it's spam. That's still defeatable, though.
The only way I can think of to totally stop the problem is to make it unprofitable. Maybe Bill Gates could stop the problem by producing a high-profile ad campaign telling people to stop buying things from Spam.
Username taken, please choose another one.
We can hire the A-Team to come in and stop them.
I pity the fool who litters Mr T's inbox with ads for home equity loans.
Dedicated Cthulhu Cultist since 4523 BC.
Why not use email for what it was meant for?
...
If clients weren't so friendly to "auto show" images this spam would never had existed.
I too send attachments to folks but usually only source files and/or patches (e.g. really small things).
I want my email client to read/write messages, not the "web". It's bad that HTML emails exist
Tom
Someday, I'll have a real sig.
Since about two weeks I am using the image-spam repositories of MSRBL, and of Sanesecurity. Using a cron script to fetch the data and keep Clama's database up-to-date works quite well!
There is a plugin for Spamassassin called Fuzzy OCR. It's false positive rate is pretty low and I haven't seen image spam for weeks.
http://fuzzyocr.own-hero.net/wiki/Downloads
Greylisting. All MTAs should be RFC compliant, so this one hurts the broken MTA's only, but some find the delay this adds to the normal mailing process unworkable.
Fortunately you can whitelist known good servers and even use an AWL.
According to some university administrators I've talked to where it is deployed, 93.6% of all mail is blocked this way. The network is around 20k computers strong. No big mail losses reported.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
I have had no problems at all using Outlook 2003 with Junk E-mail settings set to high. I have not seen 1 image-spam. However, when I fire up Thunderbird, the image-spam always shows up. I wonder what settings/algorithm MS is using because it works. My corporate E-mail server also blocks all spam. I have not received 1 spam of any type in my office E-mail account.
So is the problem really an increase in spam or incompetent admins who don't know how to setup their filters to block them? Yes, the size & volume of E-mails may have increased, but if you can filter them they will be deleted before they take up space.
We have people who work from home. But I've set them up with email authentication. They can send anything, from anywhere, to anyone, providing that they have signed on with their username and password.
You do it differently?
I know people like to rant about the "spam problem" a lot, but for all practical purposes, the problem has been largely solved for several years now.
If you run reasonable spam filters, including many open source ones, you will not end up with much spam in your inbox. Yeah, there will be lots of spam still being sent, but the real, significant, cost of spam is really mostly people's time, not machines. Any ISP, company or person who gets "too much spam" is simply being penny wise and pound foolish. The same goes for systems that get too may "false positives", that is, legitimate emails being rejected. Almost all of that is due to trying to run "cheap" spam filters, or buying snake-oil systems. Upgrade your mail servers or switch to someone who runs reasonable spam filters.
The "spam problem" of today is really the "you can't do anything about spam" problem. Too many people are convinced that you can't stop spam, so you shouldn't try harder. The problem is low expectations. The problem is people cutting corners.
For email senders having problems getting caught in spam filters, some of this is due to people running bogus spam filters and that is the receiver's problem more than yours. Most of the rest is due to either you not running a standard-compliant mail server on a static IP address that can have a reputation built up for you being a good server, or because you really do send out spam, either due to "bad" customers or backscatter (bogus bounces, challenge/repsonse systems, autoresponders, etc.). Don't be cheap and think you can get away with not running spam filters on your outbound email and catching your "bad" customers. Don't be cheap and spew backscatter. Don't be cheap and say you can't afford to do port 25 blocking of dynamic IP addresses, or not allow customers to configure their reverse DNS.
The vast majority of knowledgable people in the area of spam do not munge their email addresses. The vast majority do not suffer either lots of spam in their inbox nor lots of false positives.
SPF support for most open source mail servers can be found at libspf2.
HTML in e-mail was never standard functionality anyway. E-mail is a text medium, which has grown in some ways without growing the infrastructure to go with it.
HTML e-mails annoy the hell out of me, mainly because for a long time I was quite content to use older e-mail clients that didn't support them. But that's not what I was lamenting.
I was lamenting how anti-spam measures have made e-mail less and less useful. It was drowned out by the righteous replies of "I'll do whatever I want with my mail server". You can do whatever you want with your own server. But I'm allowed to lament the fact that e-mail has become less and less useful.
It seems to me that there is no technological solution to this problem as long as it remains profitable to SPAM. Any technological solution is short lived (i.e: arms race) and will have at least some negative effect. Can't we take away the financial motivation to SPAM? Go after the companies whose products are being sold? The spammer may or may not be offshore or may or may not be using zombies but if that spam message is to be successful then it has to point me at a product. Go after that product!
That's probably naive of me and smarter people then I have attempted to solve this problem. Still, I miss the days when I could just put up an e-mail server and all it had to do was deliver messages to my users. It wasn't the servers job to care about what was in the message -- it was the clients.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
The problem is mainly that the spammers have an absolutely IMMENSE amount of stolen processing power available to them. Botnets with hundreds of thousands of hosts, and many of those PCs have just as much, if not multiple times more processing power than any common server in your rack. Your mail server is built for reliability and I/O, and has a much longer life cycle than a desktop.
It's nothing for the spammers to analyze a captcha, even if they want to. But for every obfuscated image they send to you, you've got much fewer resources to try and analyze it. Even if you build a monster mail transport (muchos dinaros) they'll just bot a few more idiot machines and overwhelm you.
In fact, that's apparently a new tactic some of the more scummy spammers have been taking. If your filtering/tarpitting is TOO good, they'll just unleash the whole botnet onto you and crash your mail servers until such time as you see that it's better to take their crap than try to fight them. I've seen admins complaining about it on NANAE.
It seems outrageous to say this in relation to something as "unimportant" as email... but I really, truly wish we'd start seeing some fatalities amongst the spammer set.
Brandon Hume
hume -> BOFH.Halifax.NS.Ca, http://WWW.BOFH.Halifax.NS.Ca/
Unfortunately, if you go after the product the spam offers, then it turns into a vehicle to damage a third party. Now when someone doesn't like a company/product, they will pay to have a few millions spam messages sent out, and destroy their competition. Or they will threaten to do the same if said company doesn't pay a large amount of money.
This happens today with email viruses and botnet attacks, and don't think that it wouldn't happen if you attacked products advertised in spam.
having separate public and limited-distribution email addresses helps, too
I beg to differ. My limited distribution email scheme has been completely foiled by email list selling (by companies I deal with, including pseudo-government departments) and by worms which have harvested emails in the past. Heck, it only takes a single one of my "trusted" contacts (close friends, family) to decide to forward a message to a group with the list recipients viewable and then any of those people who get a virus will let that email into the wild.
I'm tempted to can the whole partitioning of emails altogether and go back to a single email. The system used to work before there were spam filters, and when I could trust the party on the other end. Since both of those are now false, I may as well just simplify.
Is it just my observation, or are there way too many stupid people in the world?
Huh, so everyone who wants to send pictures through e-mail is either an "ignorant fuck," a high-school kid, or a "tool?" Ooookay. I'm not sure there's much point in continuing this discussion, but I'll give it another shot.
..." etc.: Can I figure out how to use Flickr et al.? Sure. Do I want to? No, because their interface sucks. I made my living designing database-driven web applications for seven years, and I can honestly say that by the time I left my last job to return to grad school, I and a team of three other people (count 'em: three) had created a web app that subsumed all the functionality of nearly every DB-driven site I've ever seen (er, with the exception of Google) and looked a hell of a lot better doing it. Making a site for the express purpose of allowing users to post pictures is easy, or at least it ought to be. There is no excuse for the shittiness of sites made for this purpose, or for other single-purpose apps. And there is no reason why I should put myself through the pain of dealing with that shittiness just to send someone a picture of my dog, ferchrissakes.
* The executable ban: another PITA, and one that's occasionally caused me real problems. Is it a good idea generally? Sure, but that's the problem with blanket policies that seem like "generally a good idea" -- when they fail, they fail badly.
* The "no images" option: this is a great idea. Would enough people turn it on to make it useful in stopping the flow of spam? Not a chance. And I guarantee you that any ISP which instituted a blanket ban on images would find itself bleeding customers they way people bleed from a severed artery.
* "Frankly if you can't figure out how
Destroying functionality is not the answer to the spam problem (or almost any problem, really.) People want the functionality -- that's why it's there in the first place. What we need to do is come up with solutions that work in the existing framework, or they aren't solutions at all.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
-You have been modded appropriately-
It's not up to the recipient, it's up to the recipient's service provider; most recipients have no idea what is or isn't happening to their email before they get it.
And we have lost a tremendous amount of functionality due to SPAM. There was a time not so long ago when I could send to a family member: email with an attached photo, email with an attached document, email sent from my own PC and handled with my own SMTP daemon, email that was only two or three lines long, etc.
Now all of these are likely to be rejected. Even plain text email sent with a large subscription SMTP server is now getting blocked by some friends and family members' service providers simply because the domain of the address (my personal web domain) is not whitelisted and this hits the SPAM score where it hurts. A phone call is great... unless you were hoping to do one of the many useful things you used to be able to accomplish by sending attachments (i.e. send an article you're working on to a friend to have them read it and mark it up with revisions before sending it back).
So I suppose your answer is that we should all get an @gmail.com account, have to use it via the Web interface to send plain-text only email with zero attachments that's at least five but no more than twenty sentences long and doesn't use the words "sex," "free," or "mortgage."
Fine, but don't pretend that email hasn't lost a significant amount of functionality due to SPAM or that these restrictions are being imposed democratically by the consensus of common users. Functionality has indeed been lost and the decisions are made by admins at major email providers trying to save costs and manage the tremendous problem that SPAM has become.
The proper solution isn't to filter more. The proper solution is the death penalty for SPAMmers. I'm quite serious. We execute far too many blue collar criminals in this world and not nearly enough white collar ones. SPAMmers should be first among these.
STOP . AMERICA . NOW
Agreed, I tried to send a cdrom driver to a friend today, and gmail told me that I couldn't. Thanks a lot spam. Even though the file was zipped up.
If everyone turned off images, html and anything else, we'd get text only spam instead.
The real problem is authentication in email. While mail servers accept email with any arbitrary 'from' address, this problem will persist.
I want to see an article which tracks down the people who respond to spam and make this thing profitable. I'm sure it will take some investigative talent to find people willing to admit their behavior, but that would be interesting.
Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
No joke. HTML in email is a lesson in frustration when trying to design an E-Newsletter or some such marketing thing. Though, once you get your feet dirty, you start to know what you can and cannot do easily.
However, I do appreciate HTML emails and they have good uses. It's cost-effective and a great way to deliver attractive marketing messages to customers. Of course, that's when I (or one of my companies customers) ask for that email. Spam sucks. But we don't want to screw over all the people who use it for good purposes. As it is, my Gmail account seems to be handling spam pretty well.
Cheers,
Fozzy
"The past was erased, the erasure was forgotten, the lie became truth." ~1984 George Orwell
Actually many scanners will not deliver encrypted attachments for this reason. It's a setting you can change in MailScanner, but it's defaulted to block them.
(2) Run *NIX on (at least) one machine in your LAN. (3) Run Sendmail on that machine (or postfix, or whatever MTA you like).
(4) Listen to your wife and kids complain that their family/friends aren't getting e-mails from them.
(5) Correct the configuration on your MTA (oops - mea culpa).
(6) Listen to your wife and kids complain that they're not getting e-mails from their family/friends.
(7) Correct the configuration of your MTA (again).
(8) Listen to your wife and kids complain that they're still getting spammed into oblivion.
(9) Configure mail filters to hold the spam.
(10) Listen to your wife and kids complain that they're missing valid e-mails.
(11) (Repeat steps (8)-(10) recursively until (8) and (10) no longer happen.)
(12) ???
(13) Profit!^H^H^H^H^H^H^HRelax!
Everybody delivers e-mail messages through the SMTP server of their ISP. What is wrong with that?
Network administrators get thousands of connections from infected machines. They drop those connections, except the connection from the official SMTP server of that IP-block. If someone can't put aside their blind determination to ignore the SMTP of their ISP, or lack a damn good reason to send email directly, their deserve to get rejected by recipients. Politely sending a reject message back would double the bandwidth wasted on spam, nobody is waiting for that either.
The best way to accelerate a windows server is by 9.81 m/s2
We're all frogs being boiled alive because we kept getting used to the temperature as it went up.
When and why did we accept needing elaborate programs to throw away our email before we looked at it? When and why did we accept not being able to send files in email, after spending years defining and implementing MIME?
There have been cities that got so accustomed to street crime that people starting blaming the people who got attacked instead of the criminal. When and why did we get to the point that someone could tell a normal (and savvy) user of email
>You don't have to be a complete fucking tool you're entire life you know.
?
Not that I have a solution, I'd be out getting rich if I did.
No filters (text or otherwise), no false positives, hundreds of spam messages arrive at my server every day, and approximately 1 a day gets through. I can live with that. Sometimes, a legitimate email will get delayed by several hours. Since I often don't check my email for hours at a time, I can live with that too.
I'm sure there must be some problem that keeps this solution from being widely deployed. But if you're geeky enough to run your own mail server, give it a try. It sure beats fussing with all those filters and crap.
Has there been an increase in spam? Huh. I didn't notice.
Compromise, and whitelist. Anyone can send you plain text emails, but only people you have emailed can send you emails that are anything other than plain text. Since spam filters do pretty well on plain text emails, this should cut down the incoming spam a lot. If someone wants to send you an email containing an attachment and you haven't emailed them before, then all they need to do is first send one saying 'Hi, I want to send you some pictures, is that okay?' If you reply, then the mail server lets them through the next time.
I am TheRaven on Soylent News
" It wasn't the servers job to care about what was in the message -- it was the clients."
And it still should be.
As you point out, the admins have not solved this problem. Mostly because most solutions go after a specific 'attack' and not the problem.
AS I see it, the best way to help this problem is personal whitelist autogenerated be demanding a one time responce from the sender. No response in 30 days(or whatever) it gets trashed.
Once an email address has been authorized, then it's golden. If it is authorized, but not used in 90 (whatever) days, it gets deauthorized.
Content no longer matters, on a valid emails.
If they have a domain that they keep to be avle to respond, then you can find out who is sending and get their ISP to deal with them.
Also, telcoms need to stop selling large pieces of bandwidth to bulk senders.
The Kruger Dunning explains most post on
You could always try sending spams for free penis pills, and sending cyanide capsules to everyone who responds...
I am TheRaven on Soylent News
And the problem is that it appears to work. For giggles, I've tracked a couple of these stocks. If you don't get too greedy, and get out before the spammers (presumably holders of large blocks of stock) dump, you can actually make a good return.
You should revisit your data, and reread the article. The "problem" is that the scammers buy the stock pre-scam, and dump immediately at the first sign of a price blip. When I plug whichever penny stock into Yahoo, the price spike has always been a day or two in the past by the time my server receives (nevermind by the time I read) the spam touting it, and hasn't lasted more than a few hours.
So if you, as a spam recipient, play along with their stock game, you can make money, while helping drive up the price for the spammers to make their profit.
No you can't, unless you are "lucky" enough to be among the first recipients of the spam, and act upon it immediately. Depending on the number of shares outstanding, it may well be your buy of maybe $500 to $1000 that triggers the scammer's sell order. Face it, this is a total non-starter. Research already suggests that the scammers are only netting about 5%, which means they're doing about as well as a successful day trader, with only a little less effort. Since you will be in a reactive mode, you will be putting in more effort with significantly greater risk.
Luke, help me take this mask off
Your form is missing an answer to the one I came up
with a while back. It's a hybrid legislation and
vigilante approach in which the law legalises one
very specific form of vigilanteism:
Here is my law:
Make it not illegal to send hot cheques or
bogus credit card numbers to spammers.
This permits a kind of reverse spam. We know that when
some item is offered for sale via spam, only a very tiny
percentage of people respond to buy the stuff. If outraged
recipients were allowed to send bad cheques and incorrect
credit card numbers to these bozos, they would fall victim
to the exact same set of problems that we suffer...that
of separating good money from reverse-spam that we would send
to them.
Just as it doesn't take many respondants out of the millions
they spam to make a profit, it doesn't take many of the
millions of victims to send a bad cheque or a bogus credit
card number back to the spammer to mean that they have to
chase down hundreds of bogus payments just in order to collect
a handful of actual payments.
They could try increasingly sophisticated ways to 'filter'
our reverse spam - but we'd find ever cleverer ways around
that.
Well - it probably wouldn't work - there is bound to be a
flaw - but it brings a smile to my face to imagine the
spammer sitting with a million dollars worth of orders
made up of 20,000 cheques for $50 each - knowing full well
that only five of them are real and that the only way to
tell the difference it to attempt to cash each one of them.
He's made several hundred bucks from the idiot buyers - but
in order to cash their cheques he's got to pay in 19,995 bad
cheques - and because of my law, he's got no legal recourse.
If he fails to cash the handful of legitimate cheques, he
upsets his 'real' customers who bought something that didn't
ever arrive...yeah, their cheques didn't get cashed - but
they'll probably think twice about ordering stuff that was
promoted via Spam the next time.
Banks and credit card companies seeing the cost of
bouncing very large numbers of cheques and credit card
numbers would pretty soon impose a hefty surcharge onto
their banking fees for doing this - and voila! No more
direct sales spam!
Actually, I wonder whether it's even necessary to have
the law. Merely having a few tens of thousands of people
ask questions about the product - sending empty envelopes
that need to be opened, slashdotting their web servers, etc.
Anyway - feel free to shoot this idea down in flames too.
www.sjbaker.org
This is going to sound awful, but I've almost stopped trying to come up with solutions. I've implemented some that others have tried and like, but I don't go out of my way. Nothing works well without serious compromises.
:)
Honestly, I'm glad spam has doubled in the last six months. I say pile it on... but not because I'm some sort of masochist. It became clear to me a long time ago that the current technology for sending email just don't cut it anymore, and we need to move to something new. Anything new is going to be painful, and it has to be ubiquitous. The only way to get people to make a huge shift like that is to make it the obvious decision.
So, if spam levels are so bad that email isn't even useful anymore, people would consider switching. Now we need some smart people to come to a sweeping consensus on what we should move to so we can all hop on board.