Slashdot Mirror
Catching Spam by Looking at Traffic, Not Content
AngryDad writes "HexView has proposed a method to deal with spam without scanning actual message bodies. The method is based solely on traffic analysis. They call it STP (Source Trust Prediction). A server, like a Real-time Spam Black list, collects SMTP session source and destination addresses from participating Mail Transfer Agents (MTAs) and applies statistics to identify spam-like traffic patterns. A credibility score is returned to the MTA, so it can throttle down or drop possibly unwanted traffic. While I find it questionable, the method might be useful when combined with traditional keyword analysis." What do you think? Is this snake oil, or is there something to this?
I realize most of us here would ordinarily prefer for our ISPs to just move bits around, but it seems like they are in a pretty good position to curb spam if they were to start look at traffic patterns like this. If some DSL customer suddenly starts opening hundreds of outgoing SMTP connections, that would be a pretty reliable sign that his machine is pwned. Just block or throttle port 25, and send the customer an email telling him to fix his computer, and keep it blocked until he does - or he contacts abuse@ with a legitimate explanation. Not filtering based on the contents of the data should let them maintain plausible deniability and common carrier status.
We can't do this on our personal or company internet connections because we only see individual messages coming from many different IPs, but on the other end of the connection, or even at the backbone level, this strikes me as a pretty solid solution. They could even just tag the packets with the evil bit and let us decide if we want to filter them or not.
I am going to say it anyway. Why can't people stop responding to spam in the first place? Is it too much to ask? If spammers made absolutely zero dollars for their efforts would they stop? Will underdog be able to escape from the burning rubble in time? Tune in next week to find out in our next exciting adventure!
My humor is probably your flamebait
As soon as you've found a way to get that message through effectively to 100% of the population, do let us know.
Where else would I get my Viagra from?
I think the question raises an interesting point: spams *behave* differently on the network than most legitimate emails. It may not be a perfect discriminator, but it sure might be a corroborative scoring aid. This reminded me of the controversy when Slashdot started using text compressibility as a metric for "lameness." I was a disbeliever, and still have my reservations about it, but as a part of the overall toolbox for filtering lameness, the technique seems to have value.
[
OpenBSD's greylisting in spamd works wonders.
Trolling is a art,
Mailing lists. How does it not tag a server that sends out mail to a list as a spammer?
Best Slashdot Co
People will stop buying from spam when they stop forwarding every hoax or urban legend they recieve through their company e-mail to everybody else on their address book.
When someone finds a way to do it, please ping me.
please put obligatory Standard Spam Form joke below here please
we've got to keep this place organized
Did you ever notice that *nix doesn't even cover Linux?
That's the problem. this world is full of stupid people. They might not make money off of most people the spam gets to, but if you cast a big enough net you're bound to catch something(including some dolphins). Millions of pennies still add up to thousands of dollars.
You constantly struggle for self improvement - and it shows.
Hooray for bad Engrish on fortune cookies
We could try mass mailing them. I've had some success with that in the past. =)
OTOH, As part of a larger array of spam-fighting tools, okay - there's bits in there I actually like and which can be used as part of other solutions, if not used in the way suggested. As someone who runs a couple of MTA's on top of everything else I do around here, I always like to find new and interesting ways of stopping spam.
N.B., all that I ask is this: Please make it useful w/o sucking down resources or requisitioning another server. I detest external RBL's - please don't suggest anything that may have an overly-subjective and/or an overly-dependant basis like that. If it isn't RFC-compliant (yes, Verizon, I'm talking to YOU when I say that!), I won't go near it.
Satisfy those, and yes, I'm interested, as would lots of other SMTP-monkeys out here.
Quo usque tandem abutere, Nimbus, patientia nostra?
Your post advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
SIR,
OUR TECHNOLOGY DEPARTMENT HAS COME UP WITH A GREAT OPPUTUNITY TO STOP ALL YOUR SPAM. THIS TECHNOLOGY IS CALLED source Trust Prediction (STP). IT WORKS BASED ON identifying patterns and trends in real time AND IN THIS WAY PREVENT SPAM. HOWEVER TO MAKE PROFIT FROM THIS NEW TECHNOLOGYY WE NEED TO DO A PATENT APPLICATION. YOUR NAME CAME FORWARD AS AN EXCELLENT INVESTOR FOR THIS. WITH THE CURRENT RISE OF SPAM THIS TECH WILL BE REQUIRED QUICKLY BY A LOT OF PEOPLE.
I am only contacting you as a foreigner, I will use my influence to
effect legal approvals and onward transfer into your account At the
conclusion of this business, you will be given 50% of the total
PROFITS, 50% will be for me and my family AFTER DEDUCTION OF THE PATENT COSTS
. I await to hear from you.
Yours truly,
Mr.Barry Leoard.
FNB OF SOUTH AFRICA
THIS
IS MY PRIVATE EMAIL ADDRESS, YOU CAN SEND YOUR REPLY HERE:-
barryleonard@walla.com
I was going to say... What would happen if we all started replying with the same auto generated mails? How would the spammers tell the difference from legit spam replies?
... and its not disimilar from greylisting from what I can tell, but I don't think its going to be
effective in the long term. Getting around this type of filter (or delay) seems relatively simple
compared to the task of defeating the bayesian filters over the past couple years.
The lynchpin of greylisting is that legitimate mail will "try again" after being returned by the
server, while spam will not. The conclusion (which we hope is true) is that any mail that is
not re-sent was in fact spam. Never mind the danger that the assumption could be false and
legitimate mail gets lost -- how long will it be before spammers simply "re try" their spam --
or worse -- just send everything twice?
As with any attempt to modify behavior electronically -- behavior usually wins.
------ The best brain training is now totally free : )
This isn't a new concept. Our mail gateways already participate in something like this with IronPort's SenderBase reputation filtering. 90%+ of our incoming mail traffic is dropped based on poor reputations scores without looking at anything more than the sender's address. So far, we've never had a false-positive that we know of, and only once, after many customers were made a part of a bot-net and started spamming, did SenderBase throttle traffic to one of the local ISP's. A quick call to their mail admins pointing out the problem and they were able to block those customers from sending mail until they were cleaned up and the reputation score climbed back up again.
It has really taken the load off our mail servers by blocking millions of connections. The rest, we run through SpamAssassin and everything works great!"terrorism" and "pedophilia" are the root passwords to the Constitution
Are any of you people still living with spam? Do we really need another solution? I've found that a personally managed baysean filter is plenty good enough. I'm down from 700+ per day to 2-3 per day. I still dislike the fact that spam is out there, but I haven't actually had to deal with it in years. Has this not worked for other people? I mean, I do have to continue to feed the filter, but it's very little work. Nothing wrong with new ideas in the battle, but I thought that for anyone who cared it was already won.
Cheers.
Complaining that people are frequently bad decision makers is usually not worthwhile. Much better to recognize the truth that they are, and then work to try and take the decisions out of their hands.
Its similar to a pretty interesting conceptual innovation in medicine, when people realized that even excellent doctors will at some point make grossly negligent mistakes simply due to the shear amount of work they do (i.e. operating on people with paralytics but not analgesics). So the innovation is to make them make fewer decisions - machines that check settings before running, labels that a four year old could understand, arrows and other reminders liberally applied.
So similarly here, yes it's annoying that people continue to "fund" spammers, but education is not the answer. Because, unfortunately, the spammer's target market of "everyone in the world" will always contain enough people to make their trade profitable if all we rely on is good decision making on the parts of spam recipients. So the solution has to be technical or legal. And in that regard, another small step for man here.
Relax I just want some peanuts.
yes, traffic shaping is effective in determining the nature of connections
I work for a small email company we process millions of emails an hour inbound, but only a few million a day outbound.
Our most effective filters are:
connect/HELO restrictions: you can only get email into the environment if your IP address resolves to a FQDN.
HELO restrictions: if you connect using X different HELO strings, you are blacklisted. Spambots often randomize the helos, this blocks those.
Spamassassin at the client side, filtering email into various folders based on the score.
antivirus server that filters the few viruses that make it in, and phishing is filtered too.
The problem? All this doesn't catch enough of the spam. We still have loads of CPU dedicated to filtering spam, but something like this technique at the border will help, and I'll predict (based on experience watching the traffic and spam filtering graphs) that we could cut spam another 30% just by watching the curves and tightening the restrictions during those peaks.
Thx in advance,
Quo usque tandem abutere, Nimbus, patientia nostra?
because any email that from the 'Democratic People's Republic of $Country' is likely to be as bogus as the countries name. If a country needs to add 'Democratic' or 'Republic' to its name, you know something's wrong
- Central African Republic
- Czech Republic
- Democratic Republic of the Congo
- Dominican Republic
- Former Yugoslav Republic of Macedonia
And that's just the common names and not the official ones like "Republic of Ireland". Given that this is precisely the kind of verbose terminology that you would find in a genuine official email from a government body in such a country, I don't think that's going be suitable for anything other than a minor nudge towards spamminess.UNIX? They're not even circumcised! Savages!
I work for an email hosting company and our standard with ISP customers is they use IMAP or SMTP auth, worst case, POP before SMTP. It's amazing how much spam is blocked going from an open relay for an ISP to authenticated-only.
spambots are bad, but my biggest problem is with fraudsters, both 419ers and standard credit card fraud types.
These sleazebags cause more trouble than the bots, and it's illegal to kill them. I'm not sure why they cause more trouble, they send out less email than the bots, perhaps the scammer's email is better targetted to real people, as opposed to directory harvesting type attacks.
Anyway, definately agree with you there, smtp auth, imap or whatever, all piped through SSL or nothing at all.
Even if no one ever responds, it won't stop as long as the people paying to have it sent think it works. It's like burning candles to St. Balderdash for scam marketing morons. As long as there is a steady supply of rubes who think that sending spam is their road to riches, and are willing to pay some brighter but no more honest spam lord to send their dreck to a bazillion hapless victims for them, spam will contine to flow.
This is true even if no one ever responds to, falls for, or even opens a spam message ever again.
--MarkusQ
My (previous) ISP did this several years ago. I found out when I was making a computer for a friend. At the time (this was a few years ago) I didn't yet know just how quickly an unprotected windows-box is owned by viruses. I thought I'd be okay for the time it takes to download a firewall. 20 seconds later I got a popup that I recognized as an infection, so I shut down the machine, and tried to get the firewall / AV-software with my other machine instead - only to be greeted by a screen where my ISP informs me that "By the look of your outgoing traffic, it would seem that your machine has been turned into a spam-bot by a virus, and your account will be automatically unblocked 1 hour after the suspicious traffic stops." This was followed by some generic instructions for virus removal.
The money in spam isn't from people buying stuff - it is from the silly advertiser thinking they can send their ads to millions of people for $1000. They do this and get a report back that says only 0.8% of the people opened the email.
The spam-sending organization then shows them that they need to revise their message with a better subject line so more people opened the email. Another $1000 and more spam is sent, this time 0.7% of the people open the email.
Continue this until the advertiser runs out of money. If you have enough contracts for sending spam it matters not a whit if anyone buys the stuff at all. It is only important that people pay for it to be sent.
Democratic Republic of the Congo- Welcome to the land of warlords, genocide, and more genocide.
Central African Republic- Less than half the genocide of its neighbor in the congo.
Dominican and Czech Republics, and Macedonia- actual democracies.
So two of your five examples help prove my point- and when you start stacking adjectives together- like 'People's Democratic Republic of Korea' you know you've got one of the worst places to live on Earth.
Also, why on earth would you get an 'official government email' from someone in these countries? That's less likely than you being a Viagra dealer and have Viagra mentioned correctly in your email. That's also why different people will have different spam filters for their mail- if I worked with the Republic of Ireland or was a professor of Greek history I would probably see the word 'Republic' in legitimate email.
You are reading a copy of my copyrighted post.
I use a popular, public email service. My emails have been identified as spam at times. The reality is the everyone from the service uses the same IP email address. All it takes is one person from that service to send spam and all those using the service get flag...so volume along isn't a good indicator.
Why can't people stop responding to spam in the first place? [...] If spammers made absolutely zero dollars for their efforts would they stop?
First off, if people stopped responding to spam, it wouldn't have any effect on phishing spam, since phishing is based on tricking the user into thinking it's legitimate mail rather than spam. Also, once you have control over an army of zombies, the incremental cost of sending one spam is zero. Even if the spammer thinks he's unlikely to make any money at all by sending out spam, he's already set up to do it, so why not? If even one person in ten million clicks on a spam accidentally because his cat walked across his desk, that makes it worth it to the spammer to have sent out the other 9,999,999 spams. Look at all the bayes-poisoning spams we get, with no link to click on; the spammers know they aren't going to profit from those, but they send them anyway, because it's free. And finally, there are a lot of other things you can do with a network of zombies. For instance, you can carry out extortion schemes by threatening DDOS attacks. The basic problems are (1) poor security of Windows, and (2) the fact that the e-mail protocols were designed before the internet existed, in an era when you knew everybody who was on your network.
Find free books.
Makes sense, since:
spam = bad
torrents != bad
Anyway, you're comparing apples to socket wrenches... Torrent is a file transfer protocol which can be used legitimately. Spam is a specific abuse of the various e-mail protocols, and by definition cannot have any legitimate use. For your comparison to make sense, it would either have to be between using torrent to distribute virii and spam, or between torrent and SMTP/etc. traffic.
Try not to take me more seriously than I take myself.
Is to have the ISP charge for email usage in the same way as you get charged for your cell phone usage.
Undetectable Steganography? Yep, there's an app fo
1. Company offering product or service hires spammer 2. Spammer creates botnet by installing spyware in unsecured computers 3. Botnet sends spam Pretty much any solution so far involves stopping step 3, the delivery when the real problem relies in step 1, we need to find ways to stop step 1 from happening. Lets make hiring spammers a criminal offence, the same way "murder for hire" is. You can catch them by just having undercover officers order the product/service. I say let's make hiring spammer to advertise a product or service a Criminal Offense punishable by jail. It will stop U.S. companies from hiring spammers. Then we put pressure in foreign governments to pass similar laws.
HTML is obsolete. It's time for a new, simpler and richer markup language.
For everyone screaming that this isn't feasible, will kill mailing lists, and other wise render effective communication via SMTP impossible you might want to consider that about a quarter of global email volume is already flowing through a system very much like what the OP describes.
s ed_control.pdf
Ironport (recently purchased by Cisco for $830 million US) has been doing this kind of service for large providers for several years.
Their statistics site is publicly viewable, but using their stats requires a subscription fee.
http://www.senderbase.org/
Its interesting to look at how well or poorly the MTA's you use are scored. All of the stats are gathered by the systems they sell to ISP's and enterprise customers. These boxes perform the spam filtering for that organization's customers and provide statistical data back to senderbase.org, which allows all Ironport customers to "know" about problems for all other Ironport customers.
The link to their PDF on their metric's is here:
http://ironport.com/pdf/ironport_wp_reputation_ba
We evaluated their system last year as a possible replacement for a third party spam/virus scanning provider and may end up purchasing their equipment once everything with the Cisco purchase shakes out. Their solution, while not perfect, behaves far better than some of the things that large service providers *coughAOLcough* have tried and are (or were when we tested) comparable to most of the content based scanning systems in terms of spam filtering with a lower rate of false positives.
Looking at Wikipeida we find that out of the 14 freest places to live, 'Republic' is part of the title on 4 of them. Looking at the 8 worst places to live, 'Republic', 'Democratic', and 'People's' are part of the title of 6 of them, and they appear a total of 10 times in the name of 8 countries. So it seems that my point has some factual backing, and there's a strong correlation between having 'Republic', 'Democratic', and 'People's' in a countries name and it being none of the above.
You are reading a copy of my copyrighted post.
Won't work. It just means the owners of zombie PCs get big bills.
The company I work for contracts with advertisers to send out bulk mailings to our opted-in users.
And did they opt in by specifically requesting your mail, or implicitly as part of some other transaction? If it's the latter, you're a spammer. Die.
If people really want your content, offer an RSS feed. If nobody subscribes to your feed, they didn't want your content.
IP Reputation filters are not a new idea by any stretch of the imagination.
CipherTrust TrustedSource
Generally there's nothing to 'reply to' - To order the viagra you've got to go to a web site, or fax in an order - and all the latest 'pump and dump' stock-selling emails don't sell anything at all. They buy some stock, spam out their messages, then dump the stock when the price goes up. Often the company in question knows nothing about it.
Get rid of HTML emails.. Spam isn't as cool when it doesn't have a bunch of fake links, pretty pictures, etc. You think the internet would cease to exist if we went back to text only?
Send a URL in your text-only email if you want to check the email out in HTML...
Just a thought
You sir, have no idea what you're talking about. They get paid by the sale for products, by the lead for mortgages, or a percantage for stocks. Go to bulkerforum.biz and look around.
Before you mod me funny, think, perhaps I was insightfully funny?
Sending spam the old fashioned way (sans botnet) is still very effective. My company uses two throttling appliances, IronPort and Symantec 8160. Both score senders based on their spamminess and throttle appropriately. When we first turned on our 8160s last year, some people in our company thought we had eliminted spam completely. We'll be moving to the IronPort solution soon as its scoring system appears to be a great deal more thorough and reliable; we expect our spam numbers to drop even further when the go live.
Botnets make rate-limiting (which really, is all STP is, besides Stone Temple Pilots and motor oil) an imperfect solutions, but if you can eliminate the old school spammers, trust me, you will take a giant chunk out of your daily spam volume, giving your true anti-spam software more CPU cycles to do its thing, like catch that blasted image spam.
One can come up with all kinds of trick to filter spam, however, the problem still remains. Spam will continue as long as it is profitable. There are too many "Puppies in a barrel" for a spammer to choose. After many, many years of prodding, many people have finally gotten antivirus program, yet they neglect to download or purchase virus database updates. Many people spend time and effort to ensure that their computers are malware
.
free, yet their router retains the default username and admin password. Spammers have programs that allow people to try to log in to these routers and use their embedded telnet commands to send spam without the knowledge of the computer owner or any program residing on their computer. The point is that the Internet can be compared more to "swiss cheese" rather than the "series of tubes" that the politicians use. There are many, many points of attack for spammers to use.
Filtering spam is much akin to a person who holds hands in front of his or her face while a bully is pummeling him or her. The person is likely to fend off blows from the bully, but some of the blows will get through. Once a spam is sent, even if properly filtered, the damage has already been done. Until very recently, all I had in my area was dialup. My program successfully filtered about 99% of the spam received, however I still had to wait about 30 minutes before I was able to view my legitimate mail. I lost 30 minutes of time that I could have been working on a client's problem, while the spammer lost nothing. I also lost a client because a program that I previous used labeled his email he sent me as spam. Again the spammer who spammed me lost nothing. Spammers are like bullies, they will not stop until people HIT BACK!
It is only when spammers have to deal with the large amount of bandwith used, the processing power to handle complaints, and the loss of sales that result from efforts to filter complaints will spam be much less profitable. The idea is to punch back and deter the bully. Sending complaints to the spammers' websites get them at their weak point - the place where they make contact with potential buyers. Several program have attempted to hit back, and 2 of them were very successful in doing so. However, like spammers, these programs had a weak point, and that point was the fact that they needed a central server in order to instruct each individual program. Now things are different. There are several projects currently underway to trade complaint instruction files via peer to peer networks. What this means is that there is no central server which spammers can attack in order to silence complaints to their websites. One such project is called SpammerSkewer, and it is an open source GPL program that is in alpha. The program can be found at http://spammerskewer.sourceforge.net/
It is also important to note that these new programs are not distributed denial of service programs. As for SpammerSkewer, it only receives instructions on how to complain. It does not initiate complaints. Only a user can initiate a complaint by either bringing up the complaint interface or by dragging an email into SpammerSkewer's spam directory. It is the Spammer who determines how many complaints are submitted to their websites. SpammerSkewer's author even provides a way for spammers to "opt out" from receiving complaints if they insert a header clearly labeling their email as spam. Another way they can opt out is by not sending spam in the first place. In a distributed denial of service attack, a person other than the one who controls a victim's website is the one that controls how many visits a site receives. With SpammerSkewer, it is the Spammer who sends out the spam that determines how many visits a site advertised via spam gets. The only sites that are put in SPammerSkewer's instruction files are those well known to be advertised via spam. Instruction files are also cryptographically signed in order to prevent tampering. I
Chances are the people that actually send the spam messages (those who control the botnets) are not the people making money from stock scams, phishing, or sales of pirated software.
In the same way legitimate businesses will pay marketing companies to run advertising campaigns, design, send and manage email distribution lists, etc, less legitimate 'businesses' pay spammers to send out their message to as many people as possible.
So yes, they do get paid - just not by the victims of the spam.
Thanks for you misguided rant, quite amusing.
My ISP (and I mean mine, I'm a shareholder) doesn't give a flying fuck what I do with the bandwidth I paid for (and yes, I do pay). The fixed IP of my 2Mb ADSL suits my needs, and many of the needs of other business users we have as customers, extra QoS not required
Get off your high horse and suck it's cock.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter