Forgot your password?
typodupeerror

What's With All This Spam? 212

Posted by Zonk
from the pork-everywhere dept.
coondoggie writes to mention a Network World article about soaring spam levels, confirmed now by researchers, IT managers, and security vendors. So, indeed, it's not just you: October was a spammy month. From the article: "Levine's assumption is this spike in spam levels is a result of a new generation of viruses and zombies that can infect PCs more quickly and are harder to get rid of. In its October report, messaging security vendor MessageLabs says the spike is largely due to two Trojan programs, Warezov and SpamThru. Others say a new breed of spam messages called image spam -- messages with text embedded in an image file that evade spam filters, which can't recognize the words inside the image -- is responsible." A note: I have no interest in penny stocks.
This discussion has been archived. No new comments can be posted.

What's With All This Spam?

Comments Filter:
  • Commission (Score:5, Interesting)

    by GlobalEcho (26240) on Thursday November 09, 2006 @06:33PM (#16789331)
    One thing that has always bemused me about the penny stock spams is the brokerage fees. If you pay, say, 1 1/2 cents per share in brokerage, (thus 3 cents total for buying and eventually selling), your 15 cent stock trade is 20% in the hole the minute you do it.
    • Re: (Score:3, Informative)

      by Cirvam (216911)
      Some discount brokerages only charge a flat rate for each trade, regardless of how many shares are traded. I know Etrade is one example and I'm sure there are countless others.
  • I use GMail (Score:4, Informative)

    by Com2Kid (142006) <com2kidSPAMLESS@gmail.com> on Thursday November 09, 2006 @06:35PM (#16789339) Homepage Journal
    What spam? I get maybe 1 or 2 spam emails in my actual inbox each week.

    Oh, my spam folder? Over a hundred a day, but as I recall, Gmail has miscategorized maybe 2 or 3 messages as spam during the entire time I have used it. Unless I am expecting something, I rarly check the spam folder at all.
  • Bayesian training (Score:5, Informative)

    by CRCulver (715279) <crculver@christopherculver.com> on Thursday November 09, 2006 @06:35PM (#16789343) Homepage
    I use SpamAssassin and train it regularly against obvious spam. I've heard that this new crop of spam GIFs accompanying seemingly-normal text is mean to get through or even de-train Bayesian filters, but wouldn't SpamAssassin be able to recognize that one common thing about all these messages is an attached image file, and so consider that a spam marker? I read my mail as plain text in Gnus, and most people I correspond with avoid HTML mail and image attachments, so it wouldn't be a problem for me if GIFs or PNGs went straight to /dev/null.
  • Ameritrade (Score:5, Informative)

    by masterz (143854) on Thursday November 09, 2006 @06:37PM (#16789363)
    Many of these stock spams have been going to people who have accounts at Ameritrade. It is likely that their email list has been stolen. See http://www.billkatz.com/node/77 [billkatz.com] for details.
  • by GWBasic (900357) <slashdotNO@SPAMandrewrondeau.com> on Thursday November 09, 2006 @06:37PM (#16789365) Homepage

    Domain owners: Set up SPF NOW!!!

    I set up SPF on my domains and the number of bounces from spoofed SPAM dropped dramatically.

    Do not wait any longer, do your duty to the internet community: Set up SPF NOW!!!

    • Re: (Score:2, Funny)

      That's all well and good, but I find it frustrating that with all the talk about SPF, I have yet to see any recommendations on the SPF level.

      I mean, is SPF 15 good enough? I have fair skin, so I've always used SPF 45.

      Also, which brand is preferable? Coppertone?

  • Reverse OCR (Score:5, Interesting)

    by mwilliamson (672411) on Thursday November 09, 2006 @06:43PM (#16789395) Homepage Journal

    At work we use spam assassin with a gpl OCR plugin, however, it's getting foiled by intentional added noise in the images. I propose we come up with a way to detect these non-character elements (noise) in the associated spam images instead of just trying to OCR the text. The noise I've seen seems to be like it should be easily detectable.

    "Begun, this Captcha Wars has."
    -Yada

    • by aclarke (307017)
      Is your OCR filter smart enough to read the second image in the animated .gifs spammers are using now? The first image in the set is just noise, and then a split second later the actual image they want you to see comes up. You've probably noticed this trick and I've been wondering if there are filters widely available to catch this yet.

      I just use spamassassin with a bunch of the pyzor/razor/dcc checks and it does a pretty good job, but these types of spam are still getting through too often.
      • Hmmm...I didn't realize they were using animated gifs to do this. It would be easy enough to come up with some sort of filter to strip all but the last frame and run the check on that. I expect the guys working on spamassassin are probably already on it, but I'll try and hack some sort of detector together myself for fun. ;-)
  • Don't be so smug (Score:5, Informative)

    by Kris_J (10111) * on Thursday November 09, 2006 @06:45PM (#16789409) Journal
    I barely get any spam either, but my ISP's mail servers are so choked with the stuff that real emails are being delayed by as much as two and a half days. So all of you who say "What spam?" need to be aware that, unless you only send messages to yourself, it's a real problem for everyone.
    • my ISP's mail servers are so choked with the stuff that real emails are being delayed by as much as two and a half days.
      Are you sure they're not trying to send you internets instead of emails?

      I'm sorry, I feel for your plight. But I just couldn't resist the recently-dethroned Ted Stevens reference.
  • by caluml (551744) <slashdot.spamgoeshere@calum@org> on Thursday November 09, 2006 @06:47PM (#16789423) Homepage
    I can't afford the CPU power to let it check all messages in SpamAssassin. So I have to ditch many of them based on Netblock, Country, IP address, invalid EHLO, claiming they're "localhost" or "friend". Only then, after binning about 99% of connection attempts, do the remaining have to run the SpamAssassin gauntlet.

    Most of mine get binned with a 554 "You're not localhost"

    Some spammer is using an email address of mine to send spam from. So I get the people writing back, asking why I am sending them spam. And another of my domains is obviously listed somewhere as a domain where guessing user accounts might be a good idea. So I get cqoiecn@mydomain.com, zqopqwn@mydomain.com, etc. It all just sucks. I'm currently getting about 10 spams per minute.
    • by Malc (1751)
      You must be using a catch-all email address for that domain, something equivalent. I recently discovered I was getting emails like that. This was after I configured my domain (via easydns.com) to forward all domain emails to my Yahoo address. Now that I'm handling my own mail again, I don't see any of them. Exim doesn't accept them because there are no users (or aliases) that match, so I never see the messages. I'm not getting 10 attempts per minute either... but my P75 server isn't even breaking a swe
    • to reduce the impact of SpamAssassin overhead - true, this doesn't reduce the overhead itself, but it has kept it from becoming noticeable to my users:
      1) I use spamc/spamd instead of invoking spamassassin directly - big save on a busy server.
      2) Limit the size of emails being scanned - spammers usually use small messages since larger ones are more expensive (cpu and network) to send. This will probably change someday since botnets reduce this cost.
      3) Limit the number of spamc/spamd invocations to 1/user
    • I use a three-tier approach.

      Tier 1 is OpenBSD's spamd, which has a static block list. This is updated nightly based on anyone who has sent mail SpamAssassin flagged, and a couple of external sources. Anyone on this blocklist gets tar-pitted and it takes a long time for them to receive the block message. Spamd is very low resource usage, and can tie up a few thousand connections without any noticeable impact on system load on a moderately modern machine.

      Tier 2 is Sendmail, which has blocks everyone on

  • by dominion (3153) on Thursday November 09, 2006 @06:47PM (#16789427) Homepage

    I'm working on a sender stores system for a distributed social networking software called Appleseed [sourceforge.net] based, in theory, on Internet Mail 2000 [im2000.org]. I figured early on that since the system was distributed, which means that anybody could set up an Appleseed social networking "node", that it would suffer from the same problems as any mail system if I used the standard reciever-stores system.

    I don't harbor any illusions about a sender stores system being able to eliminate spam entirely, but the reason I went with it, especially after reading this indepth critique [psg.com], was that it created a system of accountability. You may not be able to stop spam, but you have much better tools for knowing exactly where the spam came from.

    The disadvantage is that it becomes, ideologically anyways, incompatible with current email systems. I consider this a small price to pay to allow admins to have better control and protection over their systems.

    The system I'm building is rudimentary for now, and only uses direct HTTP->HTTP connections to send notifications and retrieve messages, and won't have any of the fancy abilities that email has right now, but it's a start, and there's no reason that those features can't be added as it evolves. It's gonna be a big experiment, and I'm expecting a whole lot of unforseen issues, but this whole project is a big experiment, so I'm excited about the possibilities in general.
  • by Neuropol (665537) * on Thursday November 09, 2006 @06:47PM (#16789429) Homepage
    but i just recently had an older d-link wireless router that got infected with some thing that turned it in to a spam bot. it was using the router as the spam generation unit. sending out packets to and from the most random addresses. stuff that could no doubt be spam oriented. I captured about 100MB of logs pertaining to the whole issue. it even managed to block numerous updates to the firmaware. and would not allow itself to factory default. it's like it had a hwole other firmware implanted in it and was taken control of.
  • This rise in spam is actually an elaborate plan in order to get through John C Dvoraks spam filter.
  • Not just october (Score:4, Interesting)

    by Njovich (553857) on Thursday November 09, 2006 @06:48PM (#16789437)
    At my ISP, there is even more spam in November [stats.bit.nl].
  • by QuantumG (50515) <qg@biodome.org> on Thursday November 09, 2006 @06:49PM (#16789445) Homepage Journal
    I often get email that contains no advertising, contains no links, has no attachments, but is definitely not written by a human and does not convey any useful information. Often this is in the form of a short story. Sometimes it is in the form of an essay. In either case, it looks like it is generated with simple probablistic markov chaining. As such, my spam filter accepts it and I have to manually delete it. Is this just nuisance spam? What does the sender get out of it? Seems pointless, and that's pretty scary to me. I can understand being annoying so you can sell more of your product to idiots on the internet, but being annoying just for the sake of it?
    • by zarniwoop102939 (596809) on Friday November 10, 2006 @09:07AM (#16792502)
      It's called "Bayesian Poisoning". Wiki here: http://en.wikipedia.org/wiki/Bayesian_poisoning [wikipedia.org]
    • Re: (Score:3, Interesting)

      by mgblst (80109)
      This sort of spam is used to detrain spam filters. They send a message like this with random text, but no links, so the filter thinks it looks like spam, but it has no other characteristics so it is not. This detrains the text processing part of the filter. Then they can send similar messages with links, and they have a higher chance of getting through.

      Or else somebody has a really weird sense of humour.
      • Not "detraining" (Score:4, Insightful)

        by Kelson (129150) * on Friday November 10, 2006 @01:15PM (#16795332) Homepage Journal
        But if you train these messages as spam, and they send similar messages with links, those messages will actually be more likely to be recognized as spam.

        What they're more likely to succeed at is not detraining the filters but overtraining them. By sending innocuous text and getting it trained as spam, your filter is more likely to mark normal mail as spam, thus increasing the level of false positives and resulting in a filter which marks spam, but isn't terribly useful.

        At least, that's the theory, and the more likely goal. I use SpamAssassin, and I generally train on these anyway. I don't see many false positives, and of those I do see, very few (if any at all in the past year or so) have been attributable to the Bayesian portion of the analysis.

        YMMV.
    • Re: (Score:3, Informative)

      by Deagol (323173)
      Like for most of us, this is pretty common. If you want to generate your own such gibberish texts, based on input texts, search for a program called 'dadadodo'. I stumbled across it in the FreeBSD ports tree and had some fun experimenting it. "Know thy enemy" and all that.
  • SPF (Score:4, Insightful)

    by Anonymous Coward on Thursday November 09, 2006 @06:52PM (#16789453)

    The moron moderator who rated "Domain owners: Set up SPF NOW!!!" as offtopic needs to get a clue. SPF: Sender Policy Framework [openspf.org] is used so you can filter out forged mail. The recent flood of stock-pumping spam used many forged domains in the "from", and if you filtered on SPF, you wouldn't have seen as much spam.

    I might add, it would be nice for people to REJECT spam rather than BOUNCE it. When you bounce it, innocent domains get an email complaining about the forged email. With these spambots, it adds up quick! Doing a reject also allows legitimate senders to discover their email was not delivered.

  • SPF (Score:4, Interesting)

    by caluml (551744) <slashdot.spamgoeshere@calum@org> on Thursday November 09, 2006 @06:52PM (#16789455) Homepage
    Another user mentioned SPF. This is good. You configure a TXT record in your DNS, which says to the world, unless emails claiming to come from mydomain.com come from mail server a.b.c.d, or w.x.y.z, then bin them. It doesn't reduce your spam, but it prevents people being able to use our domain in the from address to send their spam, meaning you get fewer bounce-backs/user not found emails. (It can mess up forwarding though.)
    But I haven't got it working in Postfix yet, so I can't benefit from other's SPF records.
    • by Yer Mom (78107)

      Now if only PlusNet would get a clue and allow people to add TXT records to their DNS entries, rather than just A, CNAME and MX... *sigh*

      • by caluml (551744)
        Get in touch with me, and I'll host your DNS, and you have have whatever records you like in your zone.
  • Otherwise I'd be more than willing to scan the spam for the links to the beneficiaries websites and just block them or even turn chummer [slashdot.org] loose on them; but with pump-n-dumps their is no clear beneficiary.
    • but with pump-n-dumps their is no clear beneficiary

      More true than you realise. A few months ago, when I noticed the increase of stock spam, I tried tracing the history of a few of these scams. There was no clear pattern; some went up, some went down. And the volume of trades on each was so small that a very lucky investor could only have made a few hundred dollars.

      A shame; I'd been thinking about setting up a tar pit and automating it to get in on the scams early...

  • Greylisting helps (Score:5, Interesting)

    by FliesLikeABrick (943848) <ryan@u13.net> on Thursday November 09, 2006 @06:53PM (#16789461)
    Since most of this spam is sent by zombies, they care nothing about the success rate of the delivery. They just pump out thousands/millions of spam messages, hit each e-mail address once and move on. If it fails or appears to fail then it just moves to the next since single-digit success rates still result in thousands or millions of free advertising for the spammer.

    As a result, using greylisting results in filtering a HUGE amount of spam out since it fakes a temporary failure from any new server connecting and waits for the server to try sending the mail again after a defined delay (according to the RFC, mailservers are supposed to try sending again if they get this temporary deferral).

    I set this up on my primary server (ubuntu with postfix) and saw a 99% decrease in spam since none of the zombies care enough to try connecting again. By the time a zombie gets upgraded to be wise enough to evade this, it is likely to fail all kinds of other spam tests anyway (referring mainly to blacklists, though blacklisting can be extremely evil by nature).

    If you run a mailserver, definitely look into setting this up. The wikipedia article explains the low-risk nature and exactly how it works: http://en.wikipedia.org/wiki/Greylisting [wikipedia.org]

    • Actually, it doesn't make much difference anymore. Most spammers are now wise to grey listing and actually will retry. There was a good presentation (quite) recently by the OpenBSD spamd guys on the current state of the art. For the moment, a lot of spam bots will detect when they are being tar-pitted, and so if you slow down the reply for the first 10 seconds or so of a dialog with any sender then you a lot of spam-bots will automatically disconnect (assuming that you've recognised them as spammers) and
  • Pump and dump (Score:5, Interesting)

    by Ritz_Just_Ritz (883997) on Thursday November 09, 2006 @06:58PM (#16789499)
    I run a small, but publicly traded company. Recently, I was contacted by a "PR firm" about "promoting the stock" of my company. Normally, I just hang up, but he mentioned a few "success stories" which seemed to correlate to some of the recent spam that had slipped through spamassassin. So I got his contact details and said since I was really busy "could he please email a summary of what we'd just talked about" (which he did).

    I then called the enforcement division of the SEC and said I had the name and contact details for a company that was responsible for sending a number of unsolicited pump/dump email spams to me. I also told them that I had email from the spammer himself confirming that they'd done the deed. It wasn't some innocent bystander, but the people that actually SENT the mail. I was sent to a voicemail box and assured that I'd be called back. It's now about 2 weeks later and nobody ever called me.

    And people wonder why there's so many of these vermin...uh, it's practically impossible to get caught!
    • Please contact me by e-mail.
    • The other annoyance is why they have to send me 15-20 copies of each of their garbage emails. Earlier this week it was a clothing company. Now it's some petroleum company.

      They seem to have dropped their earlier format: price now $x, reached $y in last (pump'n'dump) campaign. But since $x is always much less than $y, it's obvious somebody made a hell of a lot of money on the way up, and somebody lost a hell of a lot when it tanked.

      ...laura

      • it's obvious somebody made a hell of a lot of money on the way up, and somebody lost a hell of a lot when it tanked.

        I investigated a few companies that had been spammed in this way, but I couldn't find any correlation between stock price and spam. Some of the companies went up, and some went down, just like un-pumped stocks.

        • Re: (Score:3, Interesting)

          I just looked one of the companies (the petroleum one) up on NASDAQ [nasdaq.com], and while their share price was up yesterday, then down today, the interesting thing is the way the stock has traded more in the last two days than in the entire previous year. By several orders of magnitude, in fact.

          Until May this year the company was worth approximately nothing (10 cents a share). In the last two days they pumped it from $2.95 up to $10.10, then dumped it down to $4.00. On 60,000-odd shares traded, somebody made a lot

  • by Anonymous Coward
    I would like to see an "Ask Slashdot" article on why ISPs are not making full use of available anti-spam tools like SPF. Even blocking email from known dynamic-IP ranges would stop a lot of the zombie traffic. Nobody needs to send email from a box with an address assigned to Comcast or AOL or another consumer broadband provider. Why don't spam filters take advantage of this?
    • Re: (Score:3, Insightful)

      by DrSkwid (118965)
      > Nobody needs to send email from a box with an address assigned to Comcast or AOL or another consumer broadband provider.

      Please don't tell me what I do and do not need to do.
  • Filter by IPs (Score:5, Interesting)

    by BerkeleyDude (827776) on Thursday November 09, 2006 @06:59PM (#16789513)

    Spammers put garbage in the message body, subject, other headers, etc. in order to fool the spam filters - and unfortunately, they are often pretty successful.

    But one thing they cannot change is their IP addresses. I wrote a script to parse my mail and save the IP addresses (or more precisely, their first two numbers - e.g., 213.186) that appear in spam messages, but not in normal ones. Then, I run another script on my incoming mail - which marks the message as spam if it contains a blacklisted IP address.

    I update the list of IPs once in a while, and it works pretty decently. Right now, I have about 4,500 items in the list - each one corresponding to a range of 256^2 IP addresses - so it's about 7% of the whole address space (kinda scary). It blocks about 2/3 of spam, with almost no false positives. Most of my spam is also marked by the SpamAssassin (or whatever the mail server uses) and automatically moved into the spam folder, so I just run the script once in a while, and it "learns" on its own.

    • so it's about 7% of the whole address space (kinda scary)
      Not really when you're only paying attention to the first two bytes of the address. 4500 out of 256^4 is less dramatic.

      I was always led to believe that the IP on a spam is as worthless as the rest, since it's easily spoofed. Maybe I need to return to the textbooks.
      • by spazimodo (97579)
        The IPs on any relay servers before the connection to your mail server can't be trusted. However, the IP of the server that sent the message to your server should be correct since it's your server that's adding that IP to the header.
  • by wardk (3037) on Thursday November 09, 2006 @07:01PM (#16789521) Journal
    what's the source of the spam? windows boxes
    what propagates without knowing? window boxes
    who's to blame for all this? windows boxes
    what's never gonna solve it? windows boxes
    who's gonna get most of this spam? windows boxes

    solution? no more windows boxes
  • by mgkimsal2 (200677) on Thursday November 09, 2006 @07:01PM (#16789523) Homepage
    spam, due to all the filtering, I'm starting a collection. You can watch my spam at http://www.watchmyspam.com/ [watchmyspam.com] RSS feeds and a mailing list are coming soon - we're still in beta right now...
    • by Xugumad (39311)
      No... SPF is not the silver bullet a lot of people are selling it as. However...

      "You do see perfectly genuine mail from my domain, from machines other than mine."

      Entirely true. However, this doesn't make SPF worthless. It means that, for domains where mail should only be coming from specific mail servers, SPF still helps. We're in the process of setting this up at work; we now have SMTP servers that support authentication over TLS. For e-mail from my work address, I can connect to those servers, authenticat
    • by Xugumad (39311)
      Poking through the further reading, I think it's worth pointing out that SPF explicitely allows domains to say that there are approved servers (from which mail should be trusted), but mail may come from other servers (from which mail should neither be trusted or untrusted)?
  • by carpeweb (949895) on Thursday November 09, 2006 @07:07PM (#16789551) Journal
    I noticed a few SPF comments (can't reply directly to them due to the new /. "system" that seems to prevent threading).

    I have not noticed that it helped at all in my case. I have a postmaster account set up with my host that catches all the replies to spams that are sent spoofing my domain. The number seemed to drop in the first week or so after I set up SPF, but it's now back up to an average of 500-1000 per day, and that's just the automated replies I'm seeing.

    I assume the number of spams being sent is much higher, by orders of magnitude.

    From the other comments, it seems possible that I'm misinterpreting the responses. Are they merely an indication of "success"? In other words, are they all just automated responses from the mail servers that correctly figured out (via SPF) that someone was spoofing my domain? This seems illogical, since I'm not sure why a mail server that figured this out would bother with an automated response. Such a policy would double the traffic associated with each "success", which is why it seems illogical to me.

    In addition, of course, I see "out of office" and similar replies from individual mailboxes. Are these merely the indication of mail servers that have not implemented SPF on their (receiving) end? While that doesn't seem illogical, it seems just too easy. In other words, this issue has made me a little paranoid, and I just want to make sure I'm not relying overly much on SPF.

    Are there other tools I could/should be using?

    BTW, I've never, ever received a spam that spoofed a real domain of a large organization. I've seen lame phishes like paypal5.com, but never anything exactly like paypal.com, for example. It's hard to believe that the big guys are 100% successful with just SPF. Am I just being paranoid again?

    Thanks in advance!
    • by ahodgson (74077)
      In addition, of course, I see "out of office" and similar replies from individual mailboxes. Are these merely the indication of mail servers that have not implemented SPF on their (receiving) end? While that doesn't seem illogical, it seems just too easy. In other words, this issue has made me a little paranoid, and I just want to make sure I'm not relying overly much on SPF.

      Very, very few mail servers check SPF. It would not be possible to rely overly much on SPF.
  • by goofy183 (451746) <eric.dalquist@gm ... minus physicist> on Thursday November 09, 2006 @07:08PM (#16789559) Homepage
    These are meant to poison filters. The idea being if they send a lot of messages with text they know that don't look like spam they can poison the filters and later use those known words/patterns to get real spam through the filter. There are likely other bits they are trying to poison as well with the non-SPAM SPAM messages.
  • Re:Reverse OCR (Score:3, Informative)

    by Phroggy (441) * <slashdot3@nosPAm.phroggy.com> on Thursday November 09, 2006 @07:14PM (#16789597) Homepage
    At work we use spam assassin with a gpl OCR plugin, however, it's getting foiled by intentional added noise in the images. I propose we come up with a way to detect these non-character elements (noise) in the associated spam images instead of just trying to OCR the text. The noise I've seen seems to be like it should be easily detectable.

    I use a plugin called FuzzyOcr [apache.org], and it handles animation and noise very well. Unfortunately the OCR itself isn't great, so it reads a lot of gibberish. FuzzyOCR compensates for this by being very liberal with its string matching (hence the name). The nice thing is, it correctly identifies the vast majority of the image-based spam I receive. Unfortunately, it's very easy for it to identify false positives. So far I haven't had this problem, but you might, especially if people often send you screen shots.
  • by macintologist (1025289) on Thursday November 09, 2006 @07:19PM (#16789623)
    Check out this link http://www.hawkwings.net/2006/08/01/mailapp-rule-f ix-for-image-spam/ [hawkwings.net] It's for Apple Mail, but can be applied to any mainstream email app.
  • by Kelson (129150) * on Thursday November 09, 2006 @07:20PM (#16789633) Homepage Journal
    I often get email that contains no advertising, contains no links, has no attachments, but is definitely not written by a human and does not convey any useful information. Often this is in the form of a short story.

    In addition to the bayes poisoning explanation goofy183 posted, I suspect that some of them started out as the distraction portion of an image-based spam, but the attached images were either stripped out by a relay or left off in the first place by broken spam software (like the stuff you used to see from time to time from %RNDUSER advertising %RNDADJECTIVE %RNDNOUN).

    Parent [slashdot.org]

  • Yet another group of people all saying how they'd solve the current spam problem, by addressing the current problem. Let's make better OCR!!!!!!! Let's write "true AI" grade image recognition! When will it end?

    Don't you people know that the bad guys can program too?

    I'm amazed these anti-spam companies don't have their own private small armies of grey-hats trying to break their own products. I swear half these stupid ideas would just go away.

    Personally, I think it's time we move to a completely different mod
    • by DrSkwid (118965)
      > We already have the equivalent of skin and cell walls, protection of networks and computers against outside pathogens.

      Cells use whitelisting.

      Whitelisting does not work for letting your new customers email you.

      next idea ?
  • Re: Filter by IPs (Score:3, Informative)

    by Kelson (129150) * on Thursday November 09, 2006 @07:33PM (#16789689) Homepage Journal
    But one thing they cannot change is their IP addresses.

    Sure they can. They've got access to botnets of random compromised PCs sitting in homes and offices around the world. If they find one being blocked too much, all they have to do is send the commands to another one. It's legit mailers, who have anywhere from one to a few dozen outgoing servers (depending on the size of the organization) who can't change their IPs.

    I wrote a script to parse my mail and save the IP addresses (or more precisely, their first two numbers - e.g., 213.186) that appear in spam messages, but not in normal ones.

    The list you're putting together is probably mostly a mix of spam-friendly ISPs and residential/small business DSL/cable IP blocks. The reason you're not seeing many false positives is that most legit home users send through their ISP's mail server rather than directly to you, so you don't see that their IP is on your list.

    Parent [slashdot.org]

    • But one thing they cannot change is their IP addresses.
      Sure they can. They've got access to botnets of random compromised PCs sitting in homes and offices around the world...

      Yes, but those compromised PCs and ISP home user gateways are not sending us legitimate email. A legitimate email from the guy who owns the PC will be coming out through his company/ISP mail server which is unlikely to be the same.
  • There's still raging debate about the effectiveness of SPF in the war on SPAM.

    While I agree that it will help prevent forgery of your own domain, it doesn't really prevent the spammers from setting up SPF records for their domains with really loose rules, thus circumventing the "I know who sent this" part of SPF.

    And, not to be too negative, SPF still doesn't have a good solution for secondary delivery (BackupMX, email forwarders, etc).

    If you're still positive on the technology, you might want to co
  • Tell the truth (Score:5, Insightful)

    by grcumb (781340) on Thursday November 09, 2006 @07:47PM (#16789763) Homepage Journal

    Is there any chance whatsoever that we might somehow convince people to start telling the whole truth?

    Levine's assumption is this spike in spam levels is a result of a new generation of viruses and zombies that can infect PCs more quickly and are harder to get rid of. In its October report, messaging security vendor MessageLabs says the spike is largely due to two Trojan programs, Warezov and SpamThru.

    This description is almost a lie. This is not malware for PCs. This is malware for Windows. Not Linux, not 'PCs', Not Mac, Not Amiga, BeOS, Wind River, Next, BSD... whatever.

    I'm not bashing, creating FUD or anything else. This Is Not A Trap. I'm just sick and tired of being painted with the same brush as Windows. The 'PC Virus' term is misleading; it makes my life a lot more difficult when I have to go to great lengths to explain to people that, actually, almost all of this malware only affects Windows and the software that runs on it.

    Try to imagine how Bayer would have responded if the poison Tylenol scare in the late 80s were characterised in the media as 'poison headache remedy'? They would have freaked, and consumers would have, too. Journalists have a duty to report accurately and completely on issues that affect us, and this intellectual laziness is starting to look more and more like dishonesty as time goes on.

    • For both the audience that the media is writing for, and for the media themselves, a PC *is* Windows. They understand that. When I tell people that my computers (all linux or BSD) have never gotten any viruses, that they've never (to my knowledge) gotten taken over or infected with anything, that I don't have to run antivirus programs, they look at me like I have something wrong in my head unless they already know a lot about computers. The general public has accepted viruses and trojans as the cost of d
  • by Anonymous Coward on Thursday November 09, 2006 @07:53PM (#16789777)
    I used to work for a spam company. They would buy 10 domains a week at $5/domain (reseller license). I setup SPF records for all of those domains because it would reduce the spam score at some ISP's if mail came from a domain with a valid spf record. We were making $20k/day, so the cost of buying a domain was minimal. SPF records aren't quite used the way they should be.
    • by alexo (9335)

      I used to work for a spam company... We were making $20k/day

      Ignoring for the moment your admission of guilt, how did you make that $20k/day?
      Who was paying you?
  • I mean, if I set up a web server on port 80 (assuming it isn't blocked), or other port - and they find out, they can shut my service down according to the TOS with Cox (probably the same with other providers, Speakeasy excluded).

    Now - that is a web server, something fairly innocuous which I SHOULD be able to run if I want to.

    Meanwhile, we have SPAM zombie Windows boxen spewing tons of crap out their ports, acting exactly like outbound mail servers, sending junk nobody wants, and the user doesn't know...

    I wo

  • by Kelson (129150) * on Thursday November 09, 2006 @08:10PM (#16789899) Homepage Journal
    Spammers have adapted and many have valid SPF records.

    And this is a problem because... you can validate it, know that the spam really came from the spammer's own domain, and blacklist them. No, wait, that isn't a problem.

    SPF was never about stopping spam, or about bypassing filters. It was about identifying forged senders at the domain level. It happens that there's a high correlation these days between the two, and in the long run knowing whether the sender is valid will be a useful piece of input in spam filters. And of course spam is what gets the headlines.

    If you have some way of validating that the sender is who they say they are, you can do a number of things:

    • Whitelist/blacklist based on domain name. (SpamAssassin provides hooks for this, and SARE provides some rulesets that make use of them)
    • Don't send C-R challenges to a sender that you know is forged.
    • Only send C-R challenges to a sender that you know is valid.
    • Don't send bounce notices to forged senders.
    • Block messages with forged senders, or treat them with suspicion.

    The main problem is that neither SPF nor DomainKeys has reached critical mass. Not enough places have implemented them, and implemented them strictly, for it to be worth checking. Not enough places are checking for it to be worth implementing.

    Part of it is inertia. And there are still two main problems: forwarding services and road warriors. Both have solutions. You can have an SPF-aware forwarder, or one which implements DomainKeys. You can set up SMTP-AUTH on the submission port and remote users should theoretically be able to send using the home server (unless the network is brain-dead and blocks port 587 in addition to 25. And I have no doubt that they exist).

    Whether SPF will prove useful in the long run is, I think, still up in the air. But saying that it's useless because spammers have "adapted" to it is missing the point.

  • Image spam? (Score:4, Interesting)

    by slackmaster2000 (820067) on Thursday November 09, 2006 @08:12PM (#16789915)
    The experts are implying that image spam is a new trick, and in a large part responsible for the increase in spam lately. However, it seems to me that image spam is a very old trick that spam filters are trained for. My spam filters block all messages that only contain images, for instance. I suppose that a mixture of text and images is what is effective, but from the filter's point of view, it doesn't matter much that the image is there. The spammers have already been using tactics like this, with or without images, for a long time. And in my little corner of the universe, image spam hasn't been getting through any better than spam without images.

    Anyhow, I'm seeing a massive increase in spam since late September. While our filter is effective, the sheer volume has meant that many more junk messages are getting through. I think that what a lot of people fail to realize is that while the problem of spam can be dealt with effectively for personal email, especially if you take advantage of an online service like gmail, it's a totally different ballgame in the corporate world where spam is a tricky and costly problem. Work email addresses get published (thus harvested) for a number of legitimate reasons, and once mailbox is on the radar it seems like the rest of them start getting sucked in. Some employees can effectively ignore their junk boxes, but others simply can't -- it can be costly to miss an email. This reduces spam filtering for these employees to a simple ranking system: "here are messages that are probably legit and you should look at right away, and here are a whole shitload of messages that are probably junk but there might be an important one in there somewhere."

    My organization is relatively small, and we don't benefit from hundreds or thousands of users training the filter. Thus when there's a large increase in spam that's getting through, it can take the filter a while to learn to block them effectively. During this time it's not uncommon for the occasional legitimate message to be sent to the spam filter by a user who doesn't notice it tucked into the 75 new messages in his mailbox, and this makes matters even worse. Finally, it's really hard to get users to send their junk mail to the filters, even when you've got it setup as a simple drag & drop procedure that's just as easy as deleting. If you can only convince a percentage of your people that training the filters actually works and is important, and you only have say 50-100 employees, then you may not have near the support required to really make Bayesian filtering work to its potential effectiveness.

    Anyhow, over here we've seen a huge increase in spam, with some email-heavy users who used to get 10 in their inbox per day now getting 30 to 50 or more, and with potentially hundreds going to junk boxes. (this has decreased, I think things have settled down during the past week) We run a variety of filtering measures including header checks, DNS blacklists, and Bayesian analysis but just enough spam is able to get through on a daily basis to make things difficult. Back to my original topic: virtually none of the spam getting into user inboxes has been image spam, and only a small percentage of blocked spam is image spam.

    Stats from last thirty days here: Messages Processed: 91588, Spam: 72881, 80%. A large portion of our legitimate messages are internal, which are not "filtered", but still counted by the system. A large number of spam messages are getting through, so I would conservatively bump that percentage up to 83-85%.

    What an absurd problem. I'm going to have to put more effort into reducing its affect.
  • I did this. It didn't help at all. Maybe whoever is joe-jobbing me is sending all the email to servers that don't have SPF checking. Sigh.
  • Re:Tell the truth (Score:5, Interesting)

    by Large Green Mallard (31462) <lgm@theducks.org> on Thursday November 09, 2006 @08:25PM (#16789997) Homepage
    Mmm well. I work in IT Security for a university.. we're used to seeing random PC's get infected with stuff and sending out spam. We were surprised when a few weeks ago we saw our main linux shell machine sending out 14000 spams in an hour. Investigation showed that the spam kiddies had found out login details and setup a perl script to send spam from it. We've also seen it before from MacOS X machines running SSH with weak passwords.

    In other words, I suspect it's probably not a great long term plan to be smug about windows vulnerabilities causing all of the problems. It will continue to be one, for sure, but the spammers have other tricks which are contributing to the problem :/
  • by Large Green Mallard (31462) <lgm@theducks.org> on Thursday November 09, 2006 @08:30PM (#16790047) Homepage
    This is 6 months ago thinking.

    Spam botnets now have so many client machines that Joe Spammer only needs to send out 10 or 20 messages per system per day, and he sends them out slowly.

    As soon as a solution seems "obvious" to "everyone", the spammers have moved on. I work for a university, looking after IT Security. We still get people ask us why we don't do bayesian filtering on our ~700,000 emails per day (hint: when 85% of your email is spam, it doesn't help much) or OCR (1: CPU load++, 2: spammers now use animated gifs with noise, split in the middle of rows and re-layouted with HTML).
  • As new versions of spam-filters get upgraded to detect text inside graphics and analyze it along with other text for spamminess, the spammers will, no doubt, start using "captchas" to make the detection harder.

    Research on the detection will then improve (much of it -- in Open Source), allowing the spammers to defeat the captchas currently used on web-pages...

    Information wants to be free, but there is something about keeping your designs secret from the enemy.

  • re: Image spam? (Score:3, Interesting)

    by kimvette (919543) on Thursday November 09, 2006 @08:34PM (#16790087) Homepage Journal

    by slackmaster2000 (820067)
    The experts are implying that image spam is a new trick, and in a large part responsible for the increase in spam lately. However, it seems to me that image spam is a very old trick that spam filters are trained for. My spam filters block all messages that only contain images, for instance. I suppose that a mixture of text and images is what is effective, but from the filter's point of view, it doesn't matter much that the image is there. The spammers have already been using tactics like this, with or without images, for a long time. And in my little corner of the universe, image spam hasn't been getting through any better than spam without images.


    (I'll echo others here: where is the threading?)

    The problem is, spam isn't just an image now. It's:


      [ image ]

    In a tube without warning the face of buddhist grew sullen Black angry mouths, the clouds swallowed up the obliged The air was lowhanging with suppressed excitement The account howled through the fires and sobbed and unfathomable in the secret of the holes The chime of the technology bell flowed out into the trooping The flirt notes the holy chant heavyduty with the storm like riotous angels with Satan At last the fraudulent of graphically lay vanquished. The grill paused in its course to do merriwether to God. emissary however alanding clap of thunder smote the sky The afloat chime of the scarves off with a a blockaders dissonance Demons seemed the brethren occupations plaque with gleaming eyes and trembling galileo the militant army of Godswept up finance stairs mumbling the ritual of the danger Infected fusty by the belle hysteria Aubrey britches of the refreshed Unearthly noises like a deftly parody of the holy freshly that marks the elevation of the claims alarmed the ears the hightech monks unspeakable blasphemies icons with to wetting Rain came down spoiled cataract closing of lightning chased one oblique like battling fiery dragons. dimensions jangled hideously out of hallucinating lining and pressed experiment The bands through issues more then mingle and rubbed both sparrowhawks


    Throw in random prose, and you're not only tricking rules-based filters, but de-training bayesian filters. :(
    • by CrayDrygu (56003)

      by kimvette
      Throw in random prose, and you're not only tricking rules-based filters, but de-training bayesian filters. :(

      How is that de-training anything? How much legitimate email do you get using the words: buddhist, sullen, lowhanging, howled, fires, sobbed, unfathomable, chime, trooping, flirt, chant, heavyduty, riotous, graphically, vanquished, merriwether, emissary, alanding, smote, afloat, scarves, blockaders, dissonance, demons, brethren, plaque, gleaming, trembling, galileo, militant, fusty,

  • Regarding the image spam that's on the rise, some spam filters are actually using OCR to turn the images into text and then scan them. There's a plugin for SpamAssassin called FuzzyOCR which does this. I'm testing it out and it actually succeeds on about half of the image spams I get (the other times, it crashes due to bugs in the various image converters that it relies upon).

    It does jack the server loads up, as you'd expect. Fortunately, one of the features that it uses is that it keeps a hash value (an

  • Some spammer is using an email address of mine to send spam from. So I get the people writing back, asking why I am sending them spam. And another of my domains is obviously listed somewhere as a domain where guessing user accounts might be a good idea. So I get cqoiecn@mydomain.com, zqopqwn@mydomain.com, etc. It all just sucks. I'm currently getting about 10 spams per minute.


    Yes, I'm getting this too...

    Bounced emails to guessed email accounts. But with forged headers saying that I'm the sender. I know th
  • I use SpamAssassin and train it regularly against obvious spam. I've heard that this new crop of spam GIFs accompanying seemingly-normal text is mean to get through or even de-train Bayesian filters, but wouldn't SpamAssassin be able to recognize [snip] ...

    Yes and no. I use SA on my mail server with the additional SARE plugins. SA does recognize email with an attached GIF but really, it cannot detect much else beyond that. An attached GIF on a seemingly spam-like message (on my system) counts as 1.3 out of
  • Postini isn't perfect, but it's good. It blocks something like 99% of the spam. Best of all for a small shop like mine with just a few mailboxes, the constant barrage of attempted deliveries each day never get on that network pipe I'm paying for. They don't busy my server with oddball filtering schemas or neural network comparisons (which is one technique I tried that was effective but processor intensive). Everything is very peaceful now my servers.
  • After reading your post, I've decided to buy Alcoa shares (AA). So should you. THIS IS GOING TO EXPLODE!

    </sarcasm>

    I don't own an Ameritrade account, don't publish most of my addresses, and I'm still getting a barrage of penny stock spams. So, I don't believe the Ameritrade break-in is behind this.

    However, I'm about to ask my lawyer if it's legal to short them. ;p
  • I don't use gmail. I have a gmail account though. I logged in, after having not visited it for about ohhh... near a year. Full of spam. I never once used it, didn't give it to anyone, put it on a form, etc So I can't possibly see how you could actually use it and have have less spam.
  • I really really would like to. My hosting provider (1and1) has given me the following two answers:

    August 2005:

    At the current time we do not offer the addition of SPF records to your DNS records. I have passed your concerns on to the development team as a suggestion to have them added to our services.

    November 2006:

    Unfortunately, we do not know yet if it is possible to add SPF records to DNS entries.

    I really don't want to get rid of them, as they have otherwise spectacular service with ginormous amounts of

  • I use aliases for every different website, forum, and merchant I sign up at. Like cdw@mydomain for CDW purchases, etc. It's very interesting to see which address is being used to get spam to me... which worries me because what if they made off with the rest of my account info? I always contact the vendor and explain to them that they've been compromised but they never believe me or I get a knucklehead support person who isn't capable of problem solving.

    At least I know who the offenders are and can delete
  • I got this rule somewhere, and it seems to work for filtering out the gif spam for me:

    If the "content-type" header contains "multipart/related", classify as spam (and not in address book, previous recipients, etc).

    Don't know exactly what this implies, but seems to be working for me, otherwise I would be getting tons of gif spam that passed my server's spam assassin and my e-mail client's bayes filter.
  • by Sloppy (14984) on Thursday November 09, 2006 @10:03PM (#16790559) Homepage Journal

    Reputation systems that assert "x is not a spammer", perhaps with some delegation, is the only long-term answer. Blacklisting was a decent heuristic for a while, IMHO, but it is now approaching end of life.

    But whitelisting will require authentication. Are you openpgp-signing your mail yet? If not, then you're part of why whitelisting can't take take off yet. You're part of the spam problem.

    BTW, one thing I don't get about image spam, is how they get the receivers to look at the image. When I receive a spam, especially one with a lot of nonsense text, it doesn't even occur to me to examine the attachments. It's not so much paranoia about a libpng buffer overflow or something, as it is lack of curiosity.

    All I can think of, is that there is some popular email client out there, which shows attached images automatically whether or not the user expressed an interest in the attachments. If that's what's happening, then that email client needs a patch.

  • nope. I've been training S-A for years now and it has worked nearly flawlessly until these embedded image spams. I haven't been reading my spambox closely so I don't know how many of them are caught, but 10-15 of them make it to my inbox each day. Few other spams make it through, but a significant number of these come through.

    It's extremely frustrating. I have been looking at the source of them to try to find something common to filter on with procmail but they are encoded MIME attachments which I'm not
  • From TFA:"Tumbleweed on Tuesday introduced its Adaptive Image Filtering technology designed to block image spam by using an image-processing technique called wavelet transform,...."

    Why bother analysing the images? Block all email with attached images. Whitelist your friends and usual correspondents in case some insist on using "stationery" or sending images.

  • by Cid Highwind (9258) on Friday November 10, 2006 @12:18AM (#16791108) Homepage
    If content type is "multipart/related"
    And:
    Any attachment name contains ".gif"
    And:
    Sender is not in my address book
    Then:
    Move message to folder "Spam Can"

    Translate rules as necessary for your favorite mail client.
  • Yes, but these UnDER\/ALUED COMPANIES are poised to S * O * A * R!!! 20% is nothing, don't you know these stocks will make it back in a week?
  • by MoxFulder (159829) on Friday November 10, 2006 @12:31AM (#16791164) Homepage
    Greylisting might be very effective for now, but of course the "fix" is quite easy: the spammers can reprogram the zombies to retry after temporary failures. In that case, greylisting won't slow them down more than proportionally to the rate at which they encounter temporary failures... I'd say a maximum rate of maybe 1 in 3 would be acceptable before legitimate email would be impacted too severely.

    1/3 less spam is still waaaaay too much spam. I'm afraid that even though greylisting is a smart trick, it's not sustainable. Then again, I'm beginning to believe there's *NO* long-term way to slay SPAM, that it will be a permanent back-and-forth battle for years or decades.
  • by bourne (539955)

    I might add, it would be nice for people to REJECT spam rather than BOUNCE it. When you bounce it, innocent domains get an email complaining about the forged email. With these spambots, it adds up quick! Doing a reject also allows legitimate senders to discover their email was not delivered.

    It would be nice, but unfortunately, that runs counter to the time-tested design of essentially every Mail Transfer Agent out there.

    Any decent MTA will carefully ensure that the incoming mail message is written out,

  • image based spam (Score:3, Informative)

    by mennucc1 (568756) <d3slash@mennucc1.debian.net> on Friday November 10, 2006 @05:25AM (#16791868) Homepage Journal
    I have two strategies against image based spam, for people using spamassassin (and for answering previous posts - damn this /. breakage):
    • add this codesnip to /etc/spamassassin/local.cf
      mimeheader MIME_IMAGE Content-Type =~ /image\/(?:gif|jpeg|png)/
      describe MIME_IMAGE Image in Mime
      score MIME_IMAGE 1.0
      feel free to pump up the score (and dont forget to restart spamd if you use it)
    • since the above was not enough , I started using FuzzyOCR [apache.org] , and it works great (the number of image spam went from 10/day to 0/ever); so I am planning to package it for Debian [debian.org] ; but the web page hints that there may be some security problem, so I am investigating.
  • Indeed, my gmail account has seen a DRAMATIC rise (something on the order of 150+ per day, from around 30 per day) in spam arriving in my spam folder. The occasional 1 or 2 still makes it through to my inbox, but most of those are foreign language, usually asian languages that I can't read anyway. It seems like a huge proportion of them are joe job spam bouncing back for my domain, as well. Annoying that the spammers have picked up my domain as a joe job domain, but what can ya do?
  • Now this *is* actually interesting.

    Please, oh please, post the name, email, telephone number, adress, etc of these bastards right here on Slashdot.
    Remember the last time this happened? The post office complained to the spammer that they have to send an entire car to his home - twice - just to deliver the endless amount of letters, offers, catalogues, etc - all which he had apparently subscribed to... >:)

    If we find anything about these morons - and can confirm them to be spammers - let's post them here. A
  • Microsoft must take some of the blame for this. Windows' lack of security has led to these huge Windows botnets, and the only way to solve the problem is for these boxes to switch to a more secure OS. If Vista has really fixed the security issue as Microsoft claims, maybe they should be giving it away free to solve this problem which they caused...
  • So I don't really know what any of you are talking about.

    October was a spammy month? Hrm. My condolences.

    No bayesian training, no spam filters, no whitelists, no blacklists, and my MX is wide open: no DNS blacklists either.

    Oh well. My condolences for those of you who can't use one-off aliases and keep perfect control over who has which alias and where.

Somebody ought to cross ball point pens with coat hangers so that the pens will multiply instead of disappear.

Working...