What's With All This Spam?

coondoggie writes to mention a Network World article about soaring spam levels, confirmed now by researchers, IT managers, and security vendors. So, indeed, it's not just you: October was a spammy month. From the article: "Levine's assumption is this spike in spam levels is a result of a new generation of viruses and zombies that can infect PCs more quickly and are harder to get rid of. In its October report, messaging security vendor MessageLabs says the spike is largely due to two Trojan programs, Warezov and SpamThru. Others say a new breed of spam messages called image spam -- messages with text embedded in an image file that evade spam filters, which can't recognize the words inside the image -- is responsible." A note: I have no interest in penny stocks.

I use GMail

[Com2Kid]

What spam? I get maybe 1 or 2 spam emails in my actual inbox each week.

Oh, my spam folder? Over a hundred a day, but as I recall, Gmail has miscategorized maybe 2 or 3 messages as spam during the entire time I have used it. Unless I am expecting something, I rarly check the spam folder at all.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Ameritrade

[masterz]

Many of these stock spams have been going to people who have accounts at Ameritrade. It is likely that their email list has been stolen. See http://www.billkatz.com/node/77 [billkatz.com] for details.

Domain owners: Set up SPF NOW!!!

[GWBasic]

Domain owners: Set up SPF NOW!!!

I set up SPF on my domains and the number of bounces from spoofed SPAM dropped dramatically.

Do not wait any longer, do your duty to the internet community: Set up SPF NOW!!!

Don't be so smug

[Kris_J]

I barely get any spam either, but my ISP's mail servers are so choked with the stuff that real emails are being delayed by as much as two and a half days. So all of you who say "What spam?" need to be aware that, unless you only send messages to yourself, it's a real problem for everyone.

Re:Reverse OCR

[Phroggy]

At work we use spam assassin with a gpl OCR plugin, however, it's getting foiled by intentional added noise in the images. I propose we come up with a way to detect these non-character elements (noise) in the associated spam images instead of just trying to OCR the text. The noise I've seen seems to be like it should be easily detectable.

I use a plugin called FuzzyOcr [apache.org], and it handles animation and noise very well. Unfortunately the OCR itself isn't great, so it reads a lot of gibberish. FuzzyOCR compensates for this by being very liberal with its string matching (hence the name). The nice thing is, it correctly identifies the vast majority of the image-based spam I receive. Unfortunately, it's very easy for it to identify false positives. So far I haven't had this problem, but you might, especially if people often send you screen shots.

How to filter out image spam

[macintologist]

Check out this link http://www.hawkwings.net/2006/08/01/mailapp-rule-f ix-for-image-spam/ [hawkwings.net] It's for Apple Mail, but can be applied to any mainstream email app.

Re: Filter by IPs

[Kelson]

But one thing they cannot change is their IP addresses.

Sure they can. They've got access to botnets of random compromised PCs sitting in homes and offices around the world. If they find one being blocked too much, all they have to do is send the commands to another one. It's legit mailers, who have anywhere from one to a few dozen outgoing servers (depending on the size of the organization) who can't change their IPs.

I wrote a script to parse my mail and save the IP addresses (or more precisely, their first two numbers - e.g., 213.186) that appear in spam messages, but not in normal ones.

The list you're putting together is probably mostly a mix of spam-friendly ISPs and residential/small business DSL/cable IP blocks. The reason you're not seeing many false positives is that most legit home users send through their ISP's mail server rather than directly to you, so you don't see that their IP is on your list.

Parent [slashdot.org]

Re:Domain owners: Set up SPF NOW!!!

[Anonymous Coward]

I used to work for a spam company. They would buy 10 domains a week at $5/domain (reseller license). I setup SPF records for all of those domains because it would reduce the spam score at some ISP's if mail came from a domain with a valid spf record. We were making $20k/day, so the cost of buying a domain was minimal. SPF records aren't quite used the way they should be.

Re:Why don't the BB companies enforce TOS?

[Large Green Mallard]

This is 6 months ago thinking.

Spam botnets now have so many client machines that Joe Spammer only needs to send out 10 or 20 messages per system per day, and he sends them out slowly.

As soon as a solution seems "obvious" to "everyone", the spammers have moved on. I work for a university, looking after IT Security. We still get people ask us why we don't do bayesian filtering on our ~700,000 emails per day (hint: when 85% of your email is spam, it doesn't help much) or OCR (1: CPU load++, 2: spammers now use animated gifs with noise, split in the middle of rows and re-layouted with HTML).

Rule/filter to remove gif spam

[iotaborg]

I got this rule somewhere, and it seems to work for filtering out the gif spam for me:

If the "content-type" header contains "multipart/related", classify as spam (and not in address book, previous recipients, etc).

Don't know exactly what this implies, but seems to be working for me, otherwise I would be getting tons of gif spam that passed my server's spam assassin and my e-mail client's bayes filter.

image based spam

[mennucc1]

I have two strategies against image based spam, for people using spamassassin (and for answering previous posts - damn this /. breakage):

• add this codesnip to /etc/spamassassin/local.cf

  mimeheader MIME_IMAGE Content-Type =~ /image\/(?:gif|jpeg|png)/
  describe MIME_IMAGE Image in Mime
  score MIME_IMAGE 1.0

  feel free to pump up the score (and dont forget to restart spamd if you use it)
• since the above was not enough , I started using FuzzyOCR [apache.org] , and it works great (the number of image spam went from 10/day to 0/ever); so I am planning to package it for Debian [debian.org] ; but the web page hints that there may be some security problem, so I am investigating.

Re:Essay / Short Story Spam

[zarniwoop102939]

It's called "Bayesian Poisoning". Wiki here: http://en.wikipedia.org/wiki/Bayesian_poisoning [wikipedia.org]

Re:Commission

[Cirvam]

Some discount brokerages only charge a flat rate for each trade, regardless of how many shares are traded. I know Etrade is one example and I'm sure there are countless others.

Re:Essay / Short Story Spam

[Deagol]

Like for most of us, this is pretty common. If you want to generate your own such gibberish texts, based on input texts, search for a program called 'dadadodo'. I stumbled across it in the FreeBSD ports tree and had some fun experimenting it. "Know thy enemy" and all that.