Become a fan of Slashdot on Facebook


Forgot your password?

Spam Gets Personal 141

Vitaly Friedman writes "Two researchers demonstrate how much more effective spam could become if its authors used basic data-mining to personalize their messages. From the article: "North America, though no longer the world leader in spam production, still has serious potted meat problems. A recent research paper out of the University of Calgary suggests that those problems could soon be a lot worse if spam creators adopt a few simple data-mining procedures.""
This discussion has been archived. No new comments can be posted.

Spam Gets Personal

Comments Filter:
  • by dotpavan ( 829804 ) on Tuesday May 02, 2006 @04:30PM (#15248695) Homepage
    Dear Beloved Dear Mr/Mrs Dearest friend Hi honey

    If this isnt personalized, what more can I expect? :)

  • Dupe. (Score:4, Informative)

    by khasim ( 1285 ) <> on Tuesday May 02, 2006 @04:30PM (#15248696) 1210 []

    And not very accurate the first time, either. Since Mom probably isn't going to be sending me v1agr4 ads, it will be easy to find and clean the infected machines.
  • by Anonymous Coward on Tuesday May 02, 2006 @04:30PM (#15248697)
    Thanks! just what I want spammers to know
  • by Foamy ( 29271 ) on Tuesday May 02, 2006 @04:30PM (#15248700)
    University of Calgary!!!!!!!!!
  • by drsmack1 ( 698392 ) * on Tuesday May 02, 2006 @04:32PM (#15248713)
    Are they also hosting some pages on their site to help me make anthrax or a nuclear bomb? How about how to pick up under age girls.

    Seriously; do the spammers NEED any more help?
  • by truckaxle ( 883149 ) on Tuesday May 02, 2006 @04:32PM (#15248718) Homepage
    Two researchers demonstrate how much more effective the AIDS virus could become if only a few basic modifications could be made to personalize the attack on the immune system.
    • The problem is not the supply, it's the demand. As long as people keep clicking those links, spammers will keep sending. And spam is evolving at a much faster rate than our filters. You think spammers don't know this stuff? The best filter is an educated user.

      In response to your analogy, isn't it a good thing that scientists be aware of this and prepared to respond?

      • I get the feeling the response rates are so ridiculously frickin' low already that removing the last bit of idiot clicking is going to be an impossible task.
        • ...unless we remove the idiot. Not so hard, send out spam with some new weight loss/viagra/penis-breast enlarger/etc... pills, and make the pills poisonous.

          Sure, maybe not high on the ethical scale, but think about improvements to humanity as a whole.
      • there will always be a relatively small percentage of people who show maladaptive behavior. Just as there is a much larger percentage of people willing to take advantage of those unable to control themselves. It's criminals and their victims vs. everyone else.

        The solution is not to be found in expecting *everyone* to change their behavior, because such an expectation is bound to fail. The solution is to be found in tightening up the mechanism behind data authentication and transport, both with technology an
        • I don't mind a new or updated standard if it provides a rock solid way of proving who sent the email, requiring each email address to actually have the sending server know it exists. That way nothing can come from a forged domain, because the mail relays will simply go "Nah, it ain't a real address". Likewise spammers can't use a real domain and forge the sender because the server when queried will go "Nah, it ain't a real address". Finally, if the spammer does use a real address the sending server will rep
        • My stats right now:
          Messages received: 9,466
          Messages identified as spam: 394
          Messages flagged with a virus: 1

          Sure, it's possible to get better than that. But for the company I work for, the "spam problem" is effectively "solved".

          And over time, it just going to get better as the spamtrap address I've been using are sold and re-sold amongst the spammers.

          I'm sure others have even better stats. I'm using a mix of Exim4, greylisting and SpamAssassin along with my personal white/black lists (populated by
        • This can only be done with cryptographic hardware installed on every machine, and a new SMTP protocol. Sucks, doesn't it. Bye bye anonymity, but at least it would get rid of spam. Pick your poison.

          There's this SPAM remedy boilerplate which would be appropriate here. However, I'm too lazy to look it up.

          Short answer: Botnets send out majority of spam right now. Botnet pwned box will pass whatever origin query you may subject it to, right down to chirpily answering challenge/response type lookups. And most box
    • Yes, because talking about how spam will probably change in the future (with or without this paper) is analogous to deliberately coming up with ways in which a lethal virus could be engineered to kill other people.
    • That has been done.

      15 years ago as a part of my coursework in Mol Biol I had to read a few years worth of issues of the American Journal of Human Genetics []. While most of them were the usual polymorphisms, Bayes Statistics and similar stuff, one article struck me as utterly suicidal. Some psychopaths (I would not call them anything else) were reporting preliminary findings on a potential HIV vaccine. They tried to design it my introducing genetic material responsible fo
      • I'm reminded of Mark Buller, the guy who improved the accidental enhancement mousepox into a 100% deadly disease even in mice vaccinated against it. A guy named Ramshaw was researching transmissable mouse contraceptives to deal with an overpopulation problem and spliced a gene for the immunosuppressant IL-4 into mousepox. Unfortunately, this led to the death of 60% of the test mice. Buller published research where he expanded on this idea by putting the IL-4 gene in a better spot and put in another gene
  • don't kid yourselves (Score:4, Interesting)

    by Anonymous Coward on Tuesday May 02, 2006 @04:33PM (#15248727)

    Th US most definately is the world leader in the production of spam []

    treat the disease not the symptoms

    • Th US most definately is the world leader in the production of spam

      USA! USA! USA!

      More seriously... I believe that list lists the nationalities of the spammers.. not the country where the spam actually orginates. Let's be careful to not confuse Americans with America. For instance, the #1 guy on the list is an American, who hosts most of his spam servers in China.
      • Yeah, but.... So?

        American spammers, spamming to an American audience, to earn American dollars for their American companies. In that situation (and obviously anecdote != data, etc, but personally that situation accounts for at least 75% of my spam) it's an American problem. Who gives a monkey's where the servers are, physically? That's what really annoys me when I see slashbots talking about firewalling China or dropping all packets from Europe as an anti-spam measure. It's an American problem! (By wh

    • According to TFA, they were talking about the origin of the emails; as in where the mail server was, but it seems obvious that most of these were outsourced by American spammers. Most of the products being advertised are definitely American.
  • by MrBulwark ( 862510 ) on Tuesday May 02, 2006 @04:34PM (#15248733)
    And while we are at it, lets publish a paper telling people how to do a better job money laundering, or new way to smuggle cocain into the country.
    • by fosterNutrition ( 953798 ) on Tuesday May 02, 2006 @04:40PM (#15248784) Journal
      Don't be so hasty to attack their research. If you think about it, this isn't really any different from publishing a whitepaper showing how to break the DRM on a file, or how to phreak an old phone. No, this is not intended as flamebait, but it seems to me like any distinction drawn between those actions is based simply on the prevailing culture and attitudes at /. where breaking DRM = good, sending spam = bad.

      Now I'm not trying to argue that we should have more spam, but the people at Sony would also not want to argue that we should have more DRM-cracking. It's simply a matter of perspective. And anyway, I'm sure the paper (no I didn't RTFA) was created to try to address the problem before it really shows up so it's not so bad rather than encouraging the noxious spamlords.
      • Except a better analogy would be if you were talking about breaking the DRM on every copy of a piece of software world-wide. Or, to phreak every phone in France (or wherever) to give free calls.

        Both of your supposed analogies are actions against single instances of an inanimate object.

        Perhaps you're trolling but, you know, spam scales to affect millions of people (if it works!).
        • You're right it was a bad analogy (nothing unusual for /.), but I don't think (s)he was trolling. The point I think the GP was heading towards is that security by obscurity does not work, in any form. Data mining a database that is "in the wild" is nothing a spammer couldn't have thought of by themselves. The real question is how the data got out there in the first place, and preventing it happening again.
    • They thought some peolpe would say that they shouldn't be doing this kind of research:

      "Some might argue that publishing such research will only guarantee that the ideas are used by spammers, but the authors are convinced that such personalization will happen sooner or later anyway, and that it's better to be prepared for the inevitable than not to talk about it."

      I don't know if I wholly agree with them, but at least give them credit for thinking that they can head the spammers off at the pass. Maybe th

      • SI, please (Score:2, Offtopic)

        Maybe they really think that an ounce of prevention is worth a pound of cure.

        These guys are from Calgary. A gram of prevention is worth a kilogram of cure. None of these barbaric, obsolete units of measurement for them.

        Ah poop, I'm going to get modded offtopic again, aren't I?

    • It takes a maniac to catch a maniac.
    • Well, a very simple and easy way to smuggle cocaine into here, would be for the smugglers to create an underwater glider. The idea originated at either woods hole/Scripts, but they are operating a joint program on it.

      Now how can a smuggler use this? A columbian drug lord can afford to research and create their own glider. It can then be loaded with several tons of coke. Yes, TONS. Then allow the glider to do its thing. How long will it take? Who cares as long as it gets there. It may have to move across t
    • way to smuggle cocain into the country.

      I think if you saw first hand the positive effect that the income produced from cocaine exports has on otherwise forgotten, poverty striken bolivian townships you'd rethink your views on cocaine. They supply a sought after product, to a willing market and then, because of the 8 to 1 exchange rate, make a lot of money, which then gets spent liberally in the local township. The difference between a cocaine exporting township and a non exporting township in Bo
  • You don't know serious potted meat problems until you've seen my kitchen sink.
  • I'm lumping this article describing how spammers could be yet MORE annoying with the Fox News special reports in which Geraldo Rivera details how many people could be killed if "terrorists were to jump this 6 foot chain-link fence and put a couple buckets of toxins in this bay-area resvoir".

    Thanks - hope those spammers/terrorists have TiVo and a notepad.

    Scott Richter, are you getting all this?
  • smtp doesn't work (Score:3, Insightful)

    by maynard ( 3337 ) <j.maynard.gelina ... minus cat> on Tuesday May 02, 2006 @04:37PM (#15248764) Journal
    I'm ready to give up on email because of the spam load. At this point I'm seeing mail servers with significant load simply for spamchecking, graylisting, and hanging up on bogus inbound connections. Face it, smtp doesn't work. It's a tragedy of the commons happening right in front of all of us.

    We need something different that focuses on point to point authentication of hosts and users. Frankly, hardware DRM or immutable hostids build-on to motherboards might offer at least a host authentication solution. Not a popular suggestion, I know...
    • by Lispy ( 136512 ) on Tuesday May 02, 2006 @04:46PM (#15248829) Homepage
      Every day I get quite upset by opening my reallife mailbox.
      It's totally unacceptable: Buried below a ton of trash I find two seriously dangerous invoices with 4digit numbers in the red. If I ever miss out one of them I'd probably go to jail, but hey, why not throw another pizza flyer on top of all that, the planet sure can handle this and what else are those trees for?

      Personally if I was going to choose I'd vote for e-mail spam just to get rid of this total waste of ressources.
      There should be a LAW against this, and against buying from spammers, reallife or virtual.
      • I can't speak for UKian snail mail, but here in the US critically important mail -- usually legal mail -- is sent return receipt requested. Meaning that someone has to sign for the mail, and if no one is available to sign one must go to the post office to sign and pick up the letter.

        There is nothing analogous to that in email. Primarily because there is no mechanism to first ensure authenticity and then ensure delivery. A public-key cryptographic system that used hardware level keys (or key generation) coul
        • Sounds familiar. I've been jumping up and down proclaiming the need for end-to-end authenticated SMTP for... many [] years [] now.

          • It would basically make it impossible for bots to be their own SMTP server, for one, which would significantly reduce their utility, as it would make return address spoofing (pretending to be at a different ISP) impossible.
          • By mandating SMTP Auth for the initial hop, it would allow ISPs to then cap the rate of messages sent by an individual through their ISP's mail server.
          • This, in
          • My only problem with smtp-auth is that it represent a key validation mechanism and not a host validation mechanism. That is, one can assert that a sysadmin built a version of sendmail and generated a key for smtp-auth, but one cannot assert that a particular host *used* that key - only that a specific key was used in generating the authentication header. That's why I think it needs to be tied into a hardware level DRM or hostID mechanism.

            As for delivery authentication, that's a another kettle of fish. Two s
            • I don't think the issue of a mail server lying and saying that it used a key when communicating with the sending user is all that important, personally. For the whole certified email equivalence, yes, I suppose it is, but for getting rid of spam, not so much.

              If you really want to ensure that an email was sent by a particular person, nothing short of the actual sender signing the entire message with a private key which can then be verified against that person's public key will really provide that. I don'

        • I can't speak for UKian snail mail, but here in the US critically important mail -- usually legal mail -- is sent return receipt requested. Meaning that someone has to sign for the mail, and if no one is available to sign one must go to the post office to sign and pick up the letter.

          Sometimes it is, sometimes it isn't. Sometimes it's merely sent registered (as in the sender gets proof of mailing, and the postman fills out a form when he puts it in your mailbox). Sometimes it's merely sent certified. In

        • Actually, there are both systems in place for email.

          For sender authentication there is S/MIME, the standardized version of PKCS #7. It can, with a very high level of security, demonostrate who sent an email message.

          For ensuring delivery there is RFC 2298, which describes "Message Disposition Notifications", including return receipts. All the "groupware" client/server packages (Exchange, Groupwise, Notes...) have since their respective version 1.0's supported this internally.

          "Important" messages should almos
          • That's the point. They don't deal with policing bad behavior during envelope exchange. And the only way to do this is to verify hostIDs in order to track the system to its owner. In the end, the only system that can possibly work will be one that forces people to be legally responsible for the traffic sent from their systems, with an enforcement mechanism.
        • A public-key cryptographic system that used hardware level keys (or key generation) could at least ensure authenticity point to point during envelope exchange.It would also mean being able to reject mail from specific hosts, rather than ever shifting IP addresses.

          Rejecting based on hostnames used in the HELO/EHLO? You can already do that in the major Unix MTAs. That doesn't stop the spammer from claiming to be something else. The spammer _0wns_ the sending host. The spammer can choose to send you whatever c
          • Spammers have more money than you do. They have more resources than you do. More bandwidth, more sending hosts, more CPU power. Now come up with a solution that works under those circumstances.

            I solved my spam problem and talked about it here. []

            I was Slashdotted so my approach had some merit with some of the crowd here.

            But in the end I was 'marginalized' for my efforts to make email useable again.

            Anyway, you can read the Slashdot thread and visit my site if you want to for more information and to learn how I
    • Perhaps you'd get less spam if you didn't display your email address prominently on a website in the exact format spiders are used to harvesting. Seriously, I get one unwanted email on a bad day, none on most days. I doubt yahoo has incredible spam filtering, so I'm not sure exactly why I get so little, but little things like obscuring the address can make a significant difference.
      • Two reasons why that isn't a relevant point

        1) I'm talking about a work server which managed email for many hundreds of users, not my personal vanity domain.

        2) It shouldn't matter. Though I do ask slashdot to bogusfy my email addy and right now they aren't doing a very good job of it.

    • If email providers would provide digital signitures for each of their clients, I think that a huge dent could be made in SPAM.

      How? If all email from any provider had a digital signiture then spamming that spoofs a legit email address, or even a fake one would have to have a digital signiture. When the SPAM shows up at the server, it is then checked for a certificate. If it lacking a real certificate, then it is run to ground, or flagged as SPAM. The certs would expire after so many emails, say 500. Everytim
      • That's really the question at the heart of all these smtp-auth schemes. At the hardware level you have an individual computer tied to a serial number and sales receipt. Once one can verify who owns the computer and that a message was sent from *that* computer and not some other computer, it then becomes possible for law enforcement to track down and stop specific systems from sending SPAM. It also becomes possible to track a variety of other illegal activities. Plus many legal ones.

        Like I said, choose one:
        • Very true. But why should email be annoymous? I am a privacy freak, but at the same time, you should be able to verify the identity of the emails. Otherwise email can't and shouldn't be trusted. Right now anyone with Telnet and access to the RFC on SMTP could become whoever they wanted with out having to change their email settings. And if I want to Telnet hop I could effectively obfuscate where the email came from. And that isn't very technical at that. And the only thing that might raise a flag is if the
    • Aah! No! (Score:2, Insightful)

      I'd gladly manage a behemoth amount of spam before I'd accept a treacherous mobo in my machine - turned against me by little lice squirming within legislative chambers and California corporate boardrooms.

      As far as the load on mail servers, there's plenty of middle ground between waiting for an RFC or capitulating to DRM to fix the SMTP problem. Mindshare is the only real obstacle between the way things are & a least-privelige mail system that uses strongly signed logins integrating a sender/receiver p

  • Duh! (Score:5, Interesting)

    by Billosaur ( 927319 ) * <wgrother@oEINSTE ... minus physicist> on Tuesday May 02, 2006 @04:39PM (#15248780) Journal

    The reason they don't do this now is that the spammers doing it are not geeks. They're taking pre-built scripts, modifying some parameters, and letting them go. They will keep doing this until those scripts no longer work, and then they will move onto newer ones. The only was this will happen is if some hacker gets bored, reads this article, and desides there's a lot of cash to be made selling just such a thing to the spammers.

    Be real -- no matter how personalized an email gets, I'm still going to know it's not from somebody I know, because I don't make email my primary mode of correspondence and where I do, I can easily figure out that my mother isn't going to be sending me ads for Viagra.

    Now, if they could make a Turing-capable spam generator, I'd be impressed.

    • The reason they don't do this now is that the spammers doing it are not geeks. They're taking pre-built scripts, modifying some parameters, and letting them go.

      Don't be so sure about that "modifying parameters" part. I sure see a lot of pink stuff with "Subject:" lines of "%SUBJECT" and so forth. Certainly doesn't lead you to doubt Rule #3 of the Rules of Spam [].

    • Be real -- no matter how personalized an email gets, I'm still going to know it's not from somebody I know,

      They win if they can fool your filters, so you have to read it to decide whether it's real. However, more sophisticated personalised mail could make very dangerous phishing attacks. Eg, an email from your mother "Dear, I've forgotten my banking password....". It may not fool you, but like any spam, they only need a few scores out of millions to make it pay.

  • How else would they know my p3n1z i5 5m@LL?
  • by blackcoot ( 124938 ) on Tuesday May 02, 2006 @04:44PM (#15248816)
    fantastic. you've now told spammers how to defeat basically every statistical spam filter. now i get to attempt to teach the generally tech-clueless people in my life about pgp or equivalent so that i can automatically block all non-signed email. except i can't, because there are no online vendors / banking services / etc. that sign their outbound email, to the best of my knowledge.

    just because you know how to do something like essentially unbreakable steganography in video sequences doesn't mean that it's something you need to share with the rest of the world.
    • fantastic. you've now told spammers how to defeat basically every statistical spam filter
      They already send emails to me by name and spamassassin still catches a lot of them.

      In one of Greg Egan's novels a few years back he had AI in answering machines working as spam filters against AI and data mining used for telephone spam.

  • by Ruvim ( 889012 ) on Tuesday May 02, 2006 @04:45PM (#15248820)
    So, that's why I get all those VIAGRA messages?
  • Yeah, he's right. (Score:4, Insightful)

    by darkonc ( 47285 ) <stephen_samuel@bcgr e e n . com> on Tuesday May 02, 2006 @04:46PM (#15248828) Homepage Journal
    My first response was 'Thanks you creeps -- you just createad a new monster'.... But I've been thinking the same things for years, and it's only time before spammers do this sort of garbage.

    One thing to note, however... Once you start mining information from a Zombie (which -- to be honest has already been done), it makes it easier to identify the zombie and shut it down. (I.e. if I get a spam with information from mikie's machine, I'll immediately phone him and tell him to shut down and clean up his machine. Now mikeie's machine is unavailable to the spammers.)
    I think that that is the real reason why zombie systems don't use data mining.... It's like an 'undercover' cop who fingers every low-level pusher-addict he runs into.... He'll never live long enough to get the information he wants on what goes on inside the biker gang's 'clubhouse'.

    This is one of the things that I do... I wrote a filter that peels apart an email, removes the 'legitimate' IPs in the Received: headers collected en route, and attempts to send an email to the IP responsible for the source of the email. It usually takes them a while, but they will shut down the responsible zombie.

    I stopped doing that for a couple of months, and my spam climbed to unbearable levels. I started using the script again a couple of days ago, and the spam I've been getting has already dropped noticably.

    • and attempts to send an email to the IP responsible

      That should have been:
      and attempts to send an email to the ISP responsible

      (fyi: It involves a reverse DNS lookup and records)

    • I'm actually very interested in seeing how a script like this works. Could you please post it for us? Or at least tell us how you determine which IPs in the headers are 'legitimate'?
      • [] . It's a cluster of about 4 shell and perl scripts.

        I figure out the 'legitimate' addressess manually -- any machine in your 'legitimate' email delivery path should be listed... I.E. primary and secondary MXs ..

        Note that if you use this to 'report' messages delivered to you via mailing list, you must include the IPs associated with the mailing lists as well. Any address not in the 'legitimate' list is presumed to be the first IP in the SPAM chain (i.e. an Open

  • Spammers could start targeting their messages just at people who fit a certain demographic.

    And they could start sending their messages via USPS bulk rate.

    This would surely bring about the end of civilization as we know it.
    • Spammers could start targeting their messages just at people who fit a certain demographic.

      And they could start sending their messages via USPS bulk rate.

      This would surely bring about the end of civilization as we know it.

      Nah, it'd just allow the U.S. to balance the budget (and turn the U.S.P.S. into a cost center for the government ... just like the patent office).
  • Recommendations (Score:5, Insightful)

    by Viraptor ( 898832 ) on Tuesday May 02, 2006 @04:49PM (#15248853) Homepage

    Fortunately for those who detest spam, the authors also present four new defenses that could help stop this newer, more personalized spam. First, e-mail archives can be encrypted, making it difficult for malware to mine them for information.

    WOW - so I've got to accept that my computer IS broken into and encrypt even local data? Thank you very much - my computer would rather not be broken into.

    Second, these archives can also be "salted" with false information such as spam trap addresses. Third, the authors suggest that all URLs followed from an e-mail client be viewed in a "sandboxed" browser that would prevent automatic downloads.

    Sandboxed browser? Ok - they're joking. Who uses external content displaying in their mail? And anyone hasn't got a "HTML=+80% spam" rule in mail client yet, generated AUTOMATICALLY FROM EXAMPLES?

    Finally, anti-spam filters can be adjusted to better screen for these types of attacks.

    Care to elaborate?

    Ok - this is all going in the wrong direction. Why shouldn't I trust *my system*? Why should I allow my incomming mail to use outside objects? I thought that people, who can build a natural-language-messages data mining / composing system can understand basics of home computer security...
    Besides - if spam will mimic a friend's style and probably send mail as that friend - then you know exactly who to filter out and who needs billing for a "PC security" lessons ;)
  • It's deja vu all over again!
  • I think that, moving forward, one of the core drivers of true artificial intelligence is goinig to be SPAM!

    As algorithms become better and better at sending SPAM, combatting methods will become increasingly sophisticated.

    Witness the Bayesian filtering phenomenon. Back in the day, who would've thought that a "learning" system would be needed just to determine what's junk mail?

    SPAM is a side-effect of intense economic and evolutionary pressure - the value of getting your attention and maybe your pocketbook. I
  • Spammers have been personalizing content since day one... After all, if you don't have a flaccid penis, you probably know someone who does at any given moment. Who doesn't know someone who needs more money? Who doesn't want cheap drugs?
  • Targetted Spam (Score:5, Interesting)

    by overshoot ( 39700 ) on Tuesday May 02, 2006 @05:10PM (#15249021)
    Sort of an oxymoron, isn't it?

    The whole point of the spam business model is that it's low-cost. Any filtering would raise costs compared to simply flooding the world with the same payload.

    If spammers were in the slightest interested in addressing their markets, I wouldn't be seeing several thousand Asian-language spam per day addressed to a North American mail server. None of us would be seeing spam with hash-busters, mangled "Subject:" lines, and other filter avoidance hacks.

    This seems like one more attempt to promote the idea of "good spam" for mainsleazers like Kohl's department stores.

  • by fortinbras47 ( 457756 ) on Tuesday May 02, 2006 @05:18PM (#15249084)
    The main method for detecting spam currently are blacklists and content based filters (either automatic or human). Blacklists are easily defeated by zombies and content based filters will always have problems because spam content can be very similar to valid content.

    This is my own personal opinion, but I think e-mail has to go in the direction of EASY TO USE crypto based authentication. This technology already exists (pgp) and is used heavilly by the computer security industry. it would make a lot of sense IMHO if EVERY e-mail from my bank was cryptographically signed using the bank's private key. Websites are encrypted and authenticated using public/private key cryptography (SSL) why can't the same thing be done for e-mail?

    If Microsoft, Apple, Ebay/Paypal, Verisign, a few banks etc... got together, agreed to a SINGLE existing standard, and implemented it in a transparent and easy to use way, it might go a long way to reducing spam. Citibank could say, "all e-mail we send is cryptographically signed by Citibank. If you get an e-mail that is not signed by Citibank, then it isn't from us." Obviously there are still USARS out there who wouldn't get it, but i think this would be a big step in the right direction.

    (P.S. Yes I know a variety of e-mail programs implement various crypto stuff already, but as far as I can tell, almost no one uses it or knows how to use it.)

    • Blacklists are easily defeated by zombies and content based filters will always have problems because spam content can be very similar to valid content.

      That only works if the zombies aren't on a DUL [1].

      Beyond that, it's pretty easy to spot zombies locally because they hit spamtrap addresses. Once they do, the sending IP gets locally blackholed on the spot without SMTP ever getting beyond "RCPT-TO"

      [1] Dial-Up List: list of dynamic IP addresses, not always dialup.

    • If Microsoft, Apple, Ebay/Paypal, Verisign, a few banks etc... got together, agreed to a SINGLE existing standard, and implemented it in a transparent and easy to use way, it might go a long way to reducing spam.

      It's been tried. Microsoft won't support anything that doesn't ultimately give them control of all e-mail.

      Beyond that, encryption or signing of the contents requires that the MTA accept the whole stinking pink pile before even considering routing it to /dev/null -- and then it has to burn a hu

  • by slashname3 ( 739398 ) on Tuesday May 02, 2006 @05:19PM (#15249090)
    Damn spammers hiring researchers to figure out better ways to get spam delivered. Don't they teach ethics anymore?

    This also qualifies as a DUH! Of course if you send spam that looks like it comes from someone you know it has a better chance of getting through.
  • by posterlogo ( 943853 ) on Tuesday May 02, 2006 @05:19PM (#15249093)
    I find it remarkable that so many replies here in the slashdot community are along the lines of "oh no! you're just showing the spammers/terrorists how to do it better!"

    And yet, if you look at any posts about how Microsoft or Sony or whatever are trying to keep their software's flaws obscure so they don't get exploited, the Slashdot community generally rails on them like there's no tommorow. So hypocritical.

    I thought people here were generally smart enough to know that security by obscurity doesn't work. Just because Joe Spammer doesn't care to tinker around to make his spam more devious doesn't mean Joe Hacker isn't gonna do it just for the hell of it and pass it along to Joe Spammer somehow.

  • Flame On...

    All this is made possible by Microsoft's crappy security structure of their OS's.

    You can't mine data, if you don't have access to the files that store that data.

    As far as stopping the spam from coming in? We can do that. The methods for detecting spam in it's current state apply. Whether it's detecting Penis enlargment, phishing scams, XXX content...etc., we can already do that. So bring on the personalized spam I say. I can swat it away just as fast as if it didn't have your name on it.
  • Emails like the article describe sound like identity theft. That sounds a lot more prosecutable than your average spam. I wonder if the average spammer would take the risk.
  • Cognito ergo scum - I think therefore I spam.

    Vik :v)
  • I've already recieved one on the 9th April 2006 with my full name in the subject: "Important infomation to Mr Gavin {my surname} ." and also in the body:

    " Dear Gavin {my surname} ,

    I am Barrister Atiko Benson, a senior advocate,personal attorney to Mr.Andrew {my surname},who used to work with Shell Development Company in Lome Togo. Herein after shall be referred to as my client.

    On the 21st of April 2001, my client, his wife and their only daughter were involved in a gastly car accident..."{continue classic
  • Talk about hitting the nail on the head. Who knew an 18-year-old needed Viagra?
  • Personalised spam assumes intelligence, something lacking on both ends of a successful spam message.
  • Real spam research (Score:4, Interesting)

    by gvc ( 167165 ) on Tuesday May 02, 2006 @06:14PM (#15249522)
    Why does Slashdot not report on real spam research? They report puff pieces like this and the phishing talk from the MIT Spam Conference, but not the results of TREC 2005 Spam Track [] (Hint: an outsider using compression techniques was very strong; open source filters like crm114, dbacl, bogofilter and spamassasin were close behind; DSPAM was middle of the pack.) No filter came close to demonstrating those widely-claimed 99.9-whatever% accuracy figures. I guess "news for nerds -- stuff that matters" includes testimonials [] but not results.

    The TREC tests involved tests on 350,000 email messages. A 92,000 message public corpus from this effort is available for free download [].

    John Graham-Cumming (no relation to TREC) has created SpamOrHam [] -- a community-based effort to adjudicate the judgements in the TREC corpus. This'll let us test in a big way Yerazunis' contention that spam filters are better than humans.

    Any filter writer can participtate in TREC 2006 [] by submitting a letter of intent now and a filter in due course.

    There's also an upcoming scientific spam conference this summer - CEAS [].

  • If you can craft an email that uses a persons name and the city they live in, it's pretty obvious that the response rate is going to go up. Ultimately, we need spam shutdown at the SMTP servers. Since spam is free to send, it doesn't matter what the hit rate is, people are going to keep doing it.

APL hackers do it in the quad.