Slashdot Mirror
E-Mail Spam Goes Artisanal (bloomberg.com)
An anonymous reader writes: Spam filters have come a long way over the past two decades — but spammers have, too. Though email providers are better than ever at blocking spam, it's still big business, with a lot of money to be made. Security researchers are seeing a new trend in spam: less volume, and better targeting. The article mentions "snowshoe" attacks, which occupy the middle ground between massive spam campaigns and tiny phishing attacks. "Craig Williams, a senior manager at Talos, said the amount of snowshoe spam has more than doubled in the past two years and now accounts for more than 15 percent of all junk messages distributed globally." Security researchers have been pushing for a unified registry to help deal with these mid-range spammers, but it's hard to get a significant portion of providers on the same page, particularly when many are fond of running their own solutions.
my niece asked if i still used that old-fashioned email. i said no, i use stamps.
"First they came for the slanderers and i said nothing."
One of the proposed solutions (that looks like it might be effective), DMARC, isn't even hard to set up. OK, you need DKIM set up properly on your outgoing mail servers, but that's not that hard to do. If I can figure out how to do it, starting from scratch, in an afternoon, any competent enterprise netadmin should be able to do it. Once DKIM's signing mail, DMARC is just a matter of publishing the DNS records. There's reporting software you can install to send reports back to domain owners when your systems receive problematic mail claiming to be from them, but to just let others detect problematic mail you just need the DNS record with your policies published. This is frankly not rocket science here.
And if your mail software doesn't support DKIM or DMARC? Get better mail software.
"Security researchers have been pushing for a unified registry to help deal with these mid-range spammers, but it's hard to get a significant portion of providers on the same page, particularly when many are hosting spammers.
There I fixed that for you.
Rick B.
"Security researchers have been pushing for a unified registry to help deal with these mid-range spammers, but it's hard to get a significant portion of providers on the same page, particularly when many are fond of running their own solutions."
As soon as you create a unified registry, you create a gate keeper, and his arbitrary decisions as to what is spam. Like the DMOZ days of old, where a category editor would make arbitrary decisions as to whether a website was spam or ham, while actually receiving money to promote some websites behind the backs of DMOZ.
Or like AdBlocker, that blocks ADs unless an ad provider has paid them a registration fee, in which case they let it through.
Do people get spam still? I thought we all learned in the Spam Wars of the 1990's to use different disposable addresses for pretty much everything, burning them to the ground if they start to receive any spam.
I can't even remember the last time I've gotten a spam email. Must be over 15 years. It's a 1990's problem, not a 2016 problem, unless you're doing something very wrong. Spam is optional.
The signal-to-noise ratio in the average persons' inbox is so low that it's almost pointless to use email anymore. I could set up an email account with random alphanumerics and never use it for anything or tell anyone about it, and eventually it'd get filled with spam anyway.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Spammers suck and they exploit dynamic IPs to crap onto the Internet. Trouble is the dipshits at Cloudflare are blocking any IP which has had a spam or anything bad running from it. Spammers know this and disconnect from their IP after they have sent their spam. Deeeeerp. But now it means that honest citizens must begin their day by connecting and disconnecting until they get an IP that Cloudflare + stopspamforum and other dipshits haven't blocked.
BTW Cloudflare say it isn't their fault: They blame their customers for using Cloudflare's "high security settings". But their customers don't realize Cloudlfare has set those so high their head is up their own butt.
SO FUCK YOU CLOUDFLARE. I hope Putin bans you cockheads for good.
Gmail. Check the box, then click tab at top that says more, then select filter messages like these, at bottom select create filter with this search. select delete box, also select apply filter to one matching conversation at the bottom, and click the create filter box next to it.
You never have any email you dont want ever again that easy.
You are welcome.
Thanks Gmail team.
A snowshoe spreads the load of the wearer over a larger area, making it less likely the wearer will exceed the crush strength of the snow and sink in.
Snowshoe spam spreads the SMTP submission task across many IP addresses. So if one gets blocked, they can simply discard it and rent another to replace it. Change IP addresses every hour, and it gets difficult to update the block lists fast enough.
Of course the spammers will find ways to get around the filters, they make money by doing exactly that. The companies behind the filters are patting themselves on the back right now because the volume of read spam is down, but they aren't bothering to tell you that the false positive rate keeps creeping up over time. The critical measurement lies there, in the signal to noise ratio.
Any time the spammers can push down the signal to noise ratio, they win. It means a few more messages get through, and a few more sales are made. Alternatively, it means a few more non-spam emails are caught in filters, which causes people to adjust their filters to let more borderline messages through. The whole time, everyone on the internet is paying to be on the losing side of this arms race.
At the end of the day, as I have said many many times here, spam is an economic problem. No technical, legal, or spiritual solution will stop it. As long as people can make money as spammers, they will keep sending out spam, with no concern for where or to whom it goes. There is only one way to stop spam, and that is by making sure the spammers don't get paid. As soon as the money stops coming in, the spam stops going out.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
It's very tedious to use multiple addresses.
I'd like to know who the idiots are that respond and make spam profitable.
No, not necessarily profitable for the seller of the product whose advertisement is forced into your inbox.(*)
It's profitable for the crooks who are into the business of selling the *act of forcing SPAM into your inbox* to the clueless marketing that think that this a valid way to promote their products.
Really, these enablers are ultimately responsible for spam and should also receive condemnation.
The real enablers who should take responsibility for spam are those clueless enough to think it's a good idea and ask for it as a way to promote their products.
As long as there's demand (we need that ad to reach inboxes, no matter what) there'll be offer (SPAM finding which ever techniques they can come up with to push shit into your inbox).
---
(*) speaking of which: I'm surprised that advertisers haven't started complaining about spam-filters just the way they complain about uBlock/AdBlock killing their business model.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
(* ) Extreme profitability of spam
That is something that has changed a lot recently.
SPAM *used* to be extremely profitable for seller:
- sending an e-mail is basically free. (no stamp, unlike post. No phone connection fees, unlike fax)
- even if you only manage to sell 1 single item, that's still 1 sell that earn the 1x price of item monetary gain
- return on investment ratio: 1 / 0 = +Inf
Nowadays spaming is a business it self, and that has changed:
- for a seller they pay some crook for the spamming act: they pay someone to push the ad to inboxes.
- but they need to make extra sell to make for these costs.
- and the spam could be negative publicity for them
For a modern day seller, living in an era where you subcontract spamming, SPAM isn't extremely profitable.
BUT, the world is filled with stupid clueless seller that genuinely think that this is a genuine method to boost sales.
- for a sleazy crook which sells the service of sending SPAM to inbox (using their botnet or whatever), SPAM is guaranteed to be profitable
- they get paid by the clueless seller.
- they need to invest some light resources (obtaining access to a botnet from other crooks)
- as long as spam reaches inbox, even if they anything isn't sold, it's a success for the SPAMer.
For a modern day SPAM pusher, SPAM is even better than before:
you just get paid to push crap into people's inbox, no matter what happens afterwrard.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Not if you're willing to spend a couple dollars a year on a domain (which, in my case, I own anyway).
Amazon gets amazon@(mydomain), slashdot gets slashdot@(mydomain), etc & all point to 1 single inbox. I have a catch-all in place so I can assign them after the fact (typically I don't bother any more unless one picks up spam - and then I know what business not to trust anymore).
"If you have nothing to hide, you have nothing to fear." - Every fascist, ever
Here's the deal, I'd be interested in your feedback.
I send unsolicited email, anywhere from 100-200 per day depending on the email campaign and targets I'm after although 100 is by far the most common amount. These emails are 100% CAN-SPAM compliant: they come from my email, have my name, address and phone number, provide a opt-out link that is applied within seconds and you never get another from me, if you just email me to stop I apply that request immediately, etc. These are small, text only based emails that can easily be read on a mobile device.
I do not send it to random people, I do my homework. I only send to people that I believe have a reasonable probability of wanting/needing what I'm selling as anything else is a waste of time and resources for both of us. Out of the about 100 per day sent, if I've done my job properly, I get around a 10% response rate asking for more information, a meeting, or something along those lines (sometimes more, sometimes less). Out of the roughly 400 I send a week (I don't send every day) I can expect to generate 2-3 new qualified opportunities that could lead to a sale.
I do not believe this is spamming, the law agrees with that since I am CAN-SPAM compliant although I certainly see the the anti-spam "purists" could make the case that it is spam since it is unsolicited email. This approach has led to a significant increase in sales without a increase is staffing. It beats the hell out of cold calling. It used to take our sales guys about 100 phone calls a day, every single day, to generate 2-3 qualified opportunities a month and now our sales guys makes about 24 'warm' calls a day and generate literally twice as many qualified opportunities.
This strategy works and works very well. With those kind of results and a highly targeted approach, I don't think we're crossing the line. What do you guys think?
I wish they would email the bill. Alas, most just email you telling you that you HAVE a bill... then you have to go to their site to see it. (What? it's a security issue if my email gets intercepted and someone learns I need to pay the gas company $16.49?)
What a hassle - another site to sign up at, more ridiculous and changing password rules to make you pick "good" passwords (if your favorite characters are even allowed).
At least some of them DO send the bill to my e-bank, so that I can see the bill on the same site I am paying it.
That said, I do auto-charge some to a credit card, like the land-line (wife needs it for FAX), toll road, couple of others. And guess what? As long as the amount looks about right, I never look at the bill. It's diabolical, they could be slamming me with small amounts that they no nobody will bother to quibble about, and now, I never even see the details.
(And it does happen. The Long Distance carrier for that land-line comes to $3.68 per month, with Zero services used. That's right, $0.00, plus Federal universal service fund + Fed Telecom relay service + Federal regulatory recovery +Property Tax recovery +interstate services fee. Most if Federal, but CenturyLink has found a way to steal a penny here, a nickle there, every month, from every customer. I am sure it adds up.)
This issue is a bit more complicated than you think.
Yes, however I happen to use GMail, and as a very early adopter I've got a 7-character email name before the @ symbol. I also used disposable email address to prevent spam when signing up to make one single post to a forum for example.
Then one day, some fuckwit (in an entirely different country, halfway across the globe!) decided to register himself with a bunch of shady pyramid-scheme type marketing websites and used *my* email address when doing so.
As a result, I now get inundated with spam from al of these shady marketing websites as well as all the other shady websites that their mailing lists have invariably been sold to and so on.....
It's very tedious to use multiple addresses.
It's too bad you don't have access to a device designed specifically to automate repetitive tasks.
If any of my customers complained, or you hit any of my personal addresses, you'd likely by placed on my block lists. Can-spam compliance means next to nothing for my policy because of how it's been abused or used as an excuse by those who claim to technically be in compliance with it.
The only thing that would likely save you from wrath on my server was if the message contained a reasonable explanation of where you acquired the email address you were sending to and why you believed that the message was well targeted and would be welcomed.
The whores get mad when the sluts give it away for free.
You are sending 100-200 advertising emails a day with the expectation that 90% of the recipients will have no interest in them and never reply. That totally counts as spam. It may be a small scale spam operation, but that doesn't change its essential character.
I receive tons of spam from people I suspect are very similar to you. Here's an example of one I got yesterday:
Dear [my name],
I hope everything goes well with you!
I had contacted you regarding the peptide synthesis several months ago, your paper: [name of a paper I wrote] indicated that you may need synthetic peptides, so I am writing to you again to enquire if you need any new peptide recently?
Needless to say, I have never used synthetic peptides in my life. The paper in question had nothing whatsoever to do with synthetic peptides. Had the person read even the abstract, that would have been obvious to them. But when you're emailing 100-200 people per day, you can't take the time to actually research each person. You just grab the address of every person who's published in a list of journals, and automatically fill in the names of their papers as a hook to make it look like your email was from a real person who actually read their paper.
I get tons of emails like this, and I constantly curse the people who send them. And yes, I always hit the "unsubscribe" links, but I can't see that it's had much effect on the amount of spam I get. CAN-SPAM was nothing but a giveaway to the marketing industry. There are 30 million companies in the U.S., with thousands of new ones created every day. The idea that I should have to opt out of receiving spam from every one of them individually is a joke.
"I'm too busy to research this and form an educated opinion, but I do have time to tell everyone my uninformed opinion."