E-Mail Spam Goes Artisanal

An anonymous reader writes: Spam filters have come a long way over the past two decades — but spammers have, too. Though email providers are better than ever at blocking spam, it's still big business, with a lot of money to be made. Security researchers are seeing a new trend in spam: less volume, and better targeting. The article mentions "snowshoe" attacks, which occupy the middle ground between massive spam campaigns and tiny phishing attacks. "Craig Williams, a senior manager at Talos, said the amount of snowshoe spam has more than doubled in the past two years and now accounts for more than 15 percent of all junk messages distributed globally." Security researchers have been pushing for a unified registry to help deal with these mid-range spammers, but it's hard to get a significant portion of providers on the same page, particularly when many are fond of running their own solutions.

Haven't seen this one in a while

[phantomfive]

Your post advocates a

(*) technical () legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

() Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(*) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
() Requires too much cooperation from spammers
(*) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
() Spammers don't care about invalid addresses in their lists
() Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
() Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(*) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(* ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(* ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
() Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
() Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
() Any scheme based on opt-out is unacceptable
(*) SMTP headers should not be the subject of legislation
( *) Blacklists suck
(*) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(*) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
() I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( *) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:Haven't seen this one in a while

[Todd+Knarr]

Fail.

• It's not about stopping spam so much as detecting mail that's not being sent from the servers the purported domain owner says it should be coming from.
• It doesn't require total cooperation.
• There are no jurisdictional problems with implementing DKIM/DMARC, and they were designed to work with SMTP (although they'll work with any other mail protocol when it comes to that).
• One of the goals is to reduce the profitability of spam.
• DMARC doesn't require email headers, and DKIM's header doesn't need to be legislated for you to implement it. Yes, that means the spammers don't have to implement it, but that won't help them evade it since the whole point of DKIM is to make it impossible for spammers to implement the header correctly (they don't have the correct private key to generate the signature, only the legitimate domain owner has it).
• There's no blacklist, and the only whitelist is of valid outgoing mail servers for a domain maintained by the domain owner (who ought to know what mail servers his domain uses).
• It doesn't demand that you trust any servers. It tells you what servers the domain owner trusts to send mail for him. Whether you trust that list or not, you can still trust the important fact needed: any server not on that list should not be trusted to be sending mail from the domain.

Re:DMARC

[mysidia]

DMARC, isn't even hard to set up

Except DMARC with SPF breaks E-mail forwarding between domains, and DKIM with DMARC breaks legitimate Mailing lists, so neither is viable

However, Authenticated Receive Chain spec is promising.

Not even the correct definition of Snowshoe....

[Temkin]

A snowshoe spreads the load of the wearer over a larger area, making it less likely the wearer will exceed the crush strength of the snow and sink in.

Snowshoe spam spreads the SMTP submission task across many IP addresses. So if one gets blocked, they can simply discard it and rent another to replace it. Change IP addresses every hour, and it gets difficult to update the block lists fast enough.

Nobody should be surprised by this

[damn_registrars]

Of course the spammers will find ways to get around the filters, they make money by doing exactly that. The companies behind the filters are patting themselves on the back right now because the volume of read spam is down, but they aren't bothering to tell you that the false positive rate keeps creeping up over time. The critical measurement lies there, in the signal to noise ratio.

Any time the spammers can push down the signal to noise ratio, they win. It means a few more messages get through, and a few more sales are made. Alternatively, it means a few more non-spam emails are caught in filters, which causes people to adjust their filters to let more borderline messages through. The whole time, everyone on the internet is paying to be on the losing side of this arms race.

At the end of the day, as I have said many many times here, spam is an economic problem. No technical, legal, or spiritual solution will stop it. As long as people can make money as spammers, they will keep sending out spam, with no concern for where or to whom it goes. There is only one way to stop spam, and that is by making sure the spammers don't get paid. As soon as the money stops coming in, the spam stops going out.

Re:Nobody should be surprised by this

[MightyMartian]

Never the less, it is the open nature of SMTP, developed in a kinder, gentler age that makes dealing with spam so difficult. That being said, walled gardens like Facebook have their fair share, but seeing as all messages are in strict terms internal it's easier for such systems to be altered to deal with more egregious spam attacks. With SMTP, you're stuck a number of solutions that still, if the system is going to be of any use, necessarily leave the door open a crack.

Re:snowshoe to you, too

[msauve]

I'd like to know who the idiots are that respond and make spam profitable. Really, these enablers are ultimately responsible for spam and should also receive condemnation.

If only they WOULD email the bill

[NotQuiteReal]

I wish they would email the bill. Alas, most just email you telling you that you HAVE a bill... then you have to go to their site to see it. (What? it's a security issue if my email gets intercepted and someone learns I need to pay the gas company $16.49?)

What a hassle - another site to sign up at, more ridiculous and changing password rules to make you pick "good" passwords (if your favorite characters are even allowed).

At least some of them DO send the bill to my e-bank, so that I can see the bill on the same site I am paying it.

That said, I do auto-charge some to a credit card, like the land-line (wife needs it for FAX), toll road, couple of others. And guess what? As long as the amount looks about right, I never look at the bill. It's diabolical, they could be slamming me with small amounts that they no nobody will bother to quibble about, and now, I never even see the details.

(And it does happen. The Long Distance carrier for that land-line comes to $3.68 per month, with Zero services used. That's right, $0.00, plus Federal universal service fund + Fed Telecom relay service + Federal regulatory recovery +Property Tax recovery +interstate services fee. Most if Federal, but CenturyLink has found a way to steal a penny here, a nickle there, every month, from every customer. I am sure it adds up.)