Slashdot Log In
What's With All This Spam?
Posted by
Zonk
on Thu Nov 09, 2006 05:28 PM
from the pork-everywhere dept.
from the pork-everywhere dept.
coondoggie writes to mention a Network World article about soaring spam levels, confirmed now by researchers, IT managers, and security vendors. So, indeed, it's not just you: October was a spammy month. From the article: "Levine's assumption is this spike in spam levels is a result of a new generation of viruses and zombies that can infect PCs more quickly and are harder to get rid of. In its October report, messaging security vendor MessageLabs says the spike is largely due to two Trojan programs, Warezov and SpamThru. Others say a new breed of spam messages called image spam -- messages with text embedded in an image file that evade spam filters, which can't recognize the words inside the image -- is responsible." A note: I have no interest in penny stocks.
Related Stories
[+]
Aggressive Botnet Activities Behind Spam Increase 194 comments
An anonymous reader writes, "A spam-sending Trojan dubbed 'SpamThru' is responsible for a vast amount of the recent botnet activity which has significantly increased spam levels to almost three out of every four emails. The developers of SpamThru employed numerous tactics to thwart detection and enhance outreach, such as releasing new strains of the Trojan at regular intervals in order to confuse traditional anti-virus signatures detection." According to MessageLabs (PDF), another contributor to the recent spam increase is a trojan dropper called "Warezov."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Commission (Score:5, Interesting)
Re: (Score:3, Informative)
I use GMail (Score:4, Informative)
Oh, my spam folder? Over a hundred a day, but as I recall, Gmail has miscategorized maybe 2 or 3 messages as spam during the entire time I have used it. Unless I am expecting something, I rarly check the spam folder at all.
Bayesian training (Score:5, Informative)
Ameritrade (Score:5, Informative)
Domain owners: Set up SPF NOW!!! (Score:5, Informative)
Domain owners: Set up SPF NOW!!!
I set up SPF on my domains and the number of bounces from spoofed SPAM dropped dramatically.
Do not wait any longer, do your duty to the internet community: Set up SPF NOW!!!
Reverse OCR (Score:5, Interesting)
At work we use spam assassin with a gpl OCR plugin, however, it's getting foiled by intentional added noise in the images. I propose we come up with a way to detect these non-character elements (noise) in the associated spam images instead of just trying to OCR the text. The noise I've seen seems to be like it should be easily detectable.
"Begun, this Captcha Wars has."
-Yada
Don't be so smug (Score:5, Informative)
SpamAssassin is too costly. (Score:5, Interesting)
Most of mine get binned with a 554 "You're not localhost"
Some spammer is using an email address of mine to send spam from. So I get the people writing back, asking why I am sending them spam. And another of my domains is obviously listed somewhere as a domain where guessing user accounts might be a good idea. So I get cqoiecn@mydomain.com, zqopqwn@mydomain.com, etc. It all just sucks. I'm currently getting about 10 spams per minute.
Re: Sender Stores systems. (Score:5, Interesting)
I'm working on a sender stores system for a distributed social networking software called Appleseed [sourceforge.net] based, in theory, on Internet Mail 2000 [im2000.org]. I figured early on that since the system was distributed, which means that anybody could set up an Appleseed social networking "node", that it would suffer from the same problems as any mail system if I used the standard reciever-stores system.
I don't harbor any illusions about a sender stores system being able to eliminate spam entirely, but the reason I went with it, especially after reading this indepth critique [psg.com], was that it created a system of accountability. You may not be able to stop spam, but you have much better tools for knowing exactly where the spam came from.
The disadvantage is that it becomes, ideologically anyways, incompatible with current email systems. I consider this a small price to pay to allow admins to have better control and protection over their systems.
The system I'm building is rudimentary for now, and only uses direct HTTP->HTTP connections to send notifications and retrieve messages, and won't have any of the fancy abilities that email has right now, but it's a start, and there's no reason that those features can't be added as it evolves. It's gonna be a big experiment, and I'm expecting a whole lot of unforseen issues, but this whole project is a big experiment, so I'm excited about the possibilities in general.
i have no confirmed proof other than ethereal logs (Score:5, Interesting)
Devious Plan (Score:2)
Not just october (Score:4, Interesting)
Essay / Short Story Spam (Score:5, Interesting)
Re:Essay / Short Story Spam (Score:4, Informative)
Parent
Re: (Score:3, Interesting)
Or else somebody has a really weird sense of humour.
Not "detraining" (Score:4, Insightful)
What they're more likely to succeed at is not detraining the filters but overtraining them. By sending innocuous text and getting it trained as spam, your filter is more likely to mark normal mail as spam, thus increasing the level of false positives and resulting in a filter which marks spam, but isn't terribly useful.
At least, that's the theory, and the more likely goal. I use SpamAssassin, and I generally train on these anyway. I don't see many false positives, and of those I do see, very few (if any at all in the past year or so) have been attributable to the Bayesian portion of the analysis.
YMMV.
Parent
Re: (Score:3, Informative)
SPF (Score:4, Insightful)
The moron moderator who rated "Domain owners: Set up SPF NOW!!!" as offtopic needs to get a clue. SPF: Sender Policy Framework [openspf.org] is used so you can filter out forged mail. The recent flood of stock-pumping spam used many forged domains in the "from", and if you filtered on SPF, you wouldn't have seen as much spam.
I might add, it would be nice for people to REJECT spam rather than BOUNCE it. When you bounce it, innocent domains get an email complaining about the forged email. With these spambots, it adds up quick! Doing a reject also allows legitimate senders to discover their email was not delivered.
SPF (Score:4, Interesting)
But I haven't got it working in Postfix yet, so I can't benefit from other's SPF records.
The Pump-n-Dumps are a problem, (Score:2)
Greylisting helps (Score:5, Interesting)
As a result, using greylisting results in filtering a HUGE amount of spam out since it fakes a temporary failure from any new server connecting and waits for the server to try sending the mail again after a defined delay (according to the RFC, mailservers are supposed to try sending again if they get this temporary deferral).
I set this up on my primary server (ubuntu with postfix) and saw a 99% decrease in spam since none of the zombies care enough to try connecting again. By the time a zombie gets upgraded to be wise enough to evade this, it is likely to fail all kinds of other spam tests anyway (referring mainly to blacklists, though blacklisting can be extremely evil by nature).
If you run a mailserver, definitely look into setting this up. The wikipedia article explains the low-risk nature and exactly how it works: http://en.wikipedia.org/wiki/Greylisting [wikipedia.org]
Pump and dump (Score:5, Interesting)
I then called the enforcement division of the SEC and said I had the name and contact details for a company that was responsible for sending a number of unsolicited pump/dump email spams to me. I also told them that I had email from the spammer himself confirming that they'd done the deed. It wasn't some innocent bystander, but the people that actually SENT the mail. I was sent to a voicemail box and assured that I'd be called back. It's now about 2 weeks later and nobody ever called me.
And people wonder why there's so many of these vermin...uh, it's practically impossible to get caught!
Re: (Score:3, Interesting)
I just looked one of the companies (the petroleum one) up on NASDAQ [nasdaq.com], and while their share price was up yesterday, then down today, the interesting thing is the way the stock has traded more in the last two days than in the entire previous year. By several orders of magnitude, in fact.
Until May this year the company was worth approximately nothing (10 cents a share). In the last two days they pumped it from $2.95 up to $10.10, then dumped it down to $4.00. On 60,000-odd shares traded, somebody made a lot
I agree that SPF appears necessary (Score:2, Interesting)
Re: (Score:3, Insightful)
Please don't tell me what I do and do not need to do.
Filter by IPs (Score:5, Interesting)
Spammers put garbage in the message body, subject, other headers, etc. in order to fool the spam filters - and unfortunately, they are often pretty successful.
But one thing they cannot change is their IP addresses. I wrote a script to parse my mail and save the IP addresses (or more precisely, their first two numbers - e.g., 213.186) that appear in spam messages, but not in normal ones. Then, I run another script on my incoming mail - which marks the message as spam if it contains a blacklisted IP address.
I update the list of IPs once in a while, and it works pretty decently. Right now, I have about 4,500 items in the list - each one corresponding to a range of 256^2 IP addresses - so it's about 7% of the whole address space (kinda scary). It blocks about 2/3 of spam, with almost no false positives. Most of my spam is also marked by the SpamAssassin (or whatever the mail server uses) and automatically moved into the spam folder, so I just run the script once in a while, and it "learns" on its own.
what's with all this complaining? (Score:3, Insightful)
what propagates without knowing? window boxes
who's to blame for all this? windows boxes
what's never gonna solve it? windows boxes
who's gonna get most of this spam? windows boxes
solution? no more windows boxes
In case you're not getting enough... (Score:4, Funny)
Domain owners: Don't bother (Score:4, Interesting)
SPF Does Not Seem to Work (Score:5, Insightful)
I have not noticed that it helped at all in my case. I have a postmaster account set up with my host that catches all the replies to spams that are sent spoofing my domain. The number seemed to drop in the first week or so after I set up SPF, but it's now back up to an average of 500-1000 per day, and that's just the automated replies I'm seeing.
I assume the number of spams being sent is much higher, by orders of magnitude.
From the other comments, it seems possible that I'm misinterpreting the responses. Are they merely an indication of "success"? In other words, are they all just automated responses from the mail servers that correctly figured out (via SPF) that someone was spoofing my domain? This seems illogical, since I'm not sure why a mail server that figured this out would bother with an automated response. Such a policy would double the traffic associated with each "success", which is why it seems illogical to me.
In addition, of course, I see "out of office" and similar replies from individual mailboxes. Are these merely the indication of mail servers that have not implemented SPF on their (receiving) end? While that doesn't seem illogical, it seems just too easy. In other words, this issue has made me a little paranoid, and I just want to make sure I'm not relying overly much on SPF.
Are there other tools I could/should be using?
BTW, I've never, ever received a spam that spoofed a real domain of a large organization. I've seen lame phishes like paypal5.com, but never anything exactly like paypal.com, for example. It's hard to believe that the big guys are 100% successful with just SPF. Am I just being paranoid again?
Thanks in advance!
At QuantumG - Short Story SPAM (Score:5, Interesting)
Re:Reverse OCR (Score:3, Informative)
I use a plugin called FuzzyOcr [apache.org], and it handles animation and noise very well. Unfortunately the OCR itself isn't great, so it reads a lot of gibberish. FuzzyOCR compensates for this by being very liberal with its string matching (hence the name). The nice thing is, it correctly identifies the vast majority of the image-based spam I receive. Unfortunately, it's very easy for it to identify false positives. So far I haven't had this problem, but you might, especially if people often send you screen shots.
How to filter out image spam (Score:3, Informative)
Re: Essay / Short Story Spam (Score:3, Interesting)
In addition to the bayes poisoning explanation goofy183 posted, I suspect that some of them started out as the distraction portion of an image-based spam, but the attached images were either stripped out by a relay or left off in the first place by broken spam software (like the stuff you used to see from time to time from %RNDUSER advertising %RNDADJECTIVE %RNDNOUN).
Parent [slashdot.org]
I think you're all missing the point (Score:2, Interesting)
Don't you people know that the bad guys can program too?
I'm amazed these anti-spam companies don't have their own private small armies of grey-hats trying to break their own products. I swear half these stupid ideas would just go away.
Personally, I think it's time we move to a completely different mod
Re: Filter by IPs (Score:3, Informative)
Sure they can. They've got access to botnets of random compromised PCs sitting in homes and offices around the world. If they find one being blocked too much, all they have to do is send the commands to another one. It's legit mailers, who have anywhere from one to a few dozen outgoing servers (depending on the size of the organization) who can't change their IPs.
The list you're putting together is probably mostly a mix of spam-friendly ISPs and residential/small business DSL/cable IP blocks. The reason you're not seeing many false positives is that most legit home users send through their ISP's mail server rather than directly to you, so you don't see that their IP is on your list.
Parent [slashdot.org]
Re:Domain owners: Set up SPF NOW!!! (Score:2)
While I agree that it will help prevent forgery of your own domain, it doesn't really prevent the spammers from setting up SPF records for their domains with really loose rules, thus circumventing the "I know who sent this" part of SPF.
And, not to be too negative, SPF still doesn't have a good solution for secondary delivery (BackupMX, email forwarders, etc).
If you're still positive on the technology, you might want to co
Tell the truth (Score:5, Insightful)
Is there any chance whatsoever that we might somehow convince people to start telling the whole truth?
This description is almost a lie. This is not malware for PCs. This is malware for Windows. Not Linux, not 'PCs', Not Mac, Not Amiga, BeOS, Wind River, Next, BSD... whatever.
I'm not bashing, creating FUD or anything else. This Is Not A Trap. I'm just sick and tired of being painted with the same brush as Windows. The 'PC Virus' term is misleading; it makes my life a lot more difficult when I have to go to great lengths to explain to people that, actually, almost all of this malware only affects Windows and the software that runs on it.
Try to imagine how Bayer would have responded if the poison Tylenol scare in the late 80s were characterised in the media as 'poison headache remedy'? They would have freaked, and consumers would have, too. Journalists have a duty to report accurately and completely on issues that affect us, and this intellectual laziness is starting to look more and more like dishonesty as time goes on.
Re:Domain owners: Set up SPF NOW!!! (Score:4, Informative)
How do spammers make money? (Score:3, Interesting)
Ignoring for the moment your admission of guilt, how did you make that $20k/day?
Who was paying you?
SPF isn't supposed to block spam (Score:3, Interesting)
And this is a problem because... you can validate it, know that the spam really came from the spammer's own domain, and blacklist them. No, wait, that isn't a problem.
SPF was never about stopping spam, or about bypassing filters. It was about identifying forged senders at the domain level. It happens that there's a high correlation these days between the two, and in the long run knowing whether the sender is valid will be a useful piece of input in spam filters. And of course spam is what gets the headlines.
If you have some way of validating that the sender is who they say they are, you can do a number of things:
The main problem is that neither SPF nor DomainKeys has reached critical mass. Not enough places have implemented them, and implemented them strictly, for it to be worth checking. Not enough places are checking for it to be worth implementing.
Part of it is inertia. And there are still two main problems: forwarding services and road warriors. Both have solutions. You can have an SPF-aware forwarder, or one which implements DomainKeys. You can set up SMTP-AUTH on the submission port and remote users should theoretically be able to send using the home server (unless the network is brain-dead and blocks port 587 in addition to 25. And I have no doubt that they exist).
Whether SPF will prove useful in the long run is, I think, still up in the air. But saying that it's useless because spammers have "adapted" to it is missing the point.
Image spam? (Score:4, Interesting)
Anyhow, I'm seeing a massive increase in spam since late September. While our filter is effective, the sheer volume has meant that many more junk messages are getting through. I think that what a lot of people fail to realize is that while the problem of spam can be dealt with effectively for personal email, especially if you take advantage of an online service like gmail, it's a totally different ballgame in the corporate world where spam is a tricky and costly problem. Work email addresses get published (thus harvested) for a number of legitimate reasons, and once mailbox is on the radar it seems like the rest of them start getting sucked in. Some employees can effectively ignore their junk boxes, but others simply can't -- it can be costly to miss an email. This reduces spam filtering for these employees to a simple ranking system: "here are messages that are probably legit and you should look at right away, and here are a whole shitload of messages that are probably junk but there might be an important one in there somewhere."
My organization is relatively small, and we don't benefit from hundreds or thousands of users training the filter. Thus when there's a large increase in spam that's getting through, it can take the filter a while to learn to block them effectively. During this time it's not uncommon for the occasional legitimate message to be sent to the spam filter by a user who doesn't notice it tucked into the 75 new messages in his mailbox, and this makes matters even worse. Finally, it's really hard to get users to send their junk mail to the filters, even when you've got it setup as a simple drag & drop procedure that's just as easy as deleting. If you can only convince a percentage of your people that training the filters actually works and is important, and you only have say 50-100 employees, then you may not have near the support required to really make Bayesian filtering work to its potential effectiveness.
Anyhow, over here we've seen a huge increase in spam, with some email-heavy users who used to get 10 in their inbox per day now getting 30 to 50 or more, and with potentially hundreds going to junk boxes. (this has decreased, I think things have settled down during the past week) We run a variety of filtering measures including header checks, DNS blacklists, and Bayesian analysis but just enough spam is able to get through on a daily basis to make things difficult. Back to my original topic: virtually none of the spam getting into user inboxes has been image spam, and only a small percentage of blocked spam is image spam.
Stats from last thirty days here: Messages Processed: 91588, Spam: 72881, 80%. A large portion of our legitimate messages are internal, which are not "filtered", but still counted by the system. A large number of spam messages are getting through, so I would conservatively bump that percentage up to 83-85%.
What an absurd problem. I'm going to have to put more effort into reducing its affect.
Re:Tell the truth (Score:5, Interesting)
In other words, I suspect it's probably not a great long term plan to be smug about windows vulnerabilities causing all of the problems. It will continue to be one, for sure, but the spammers have other tricks which are contributing to the problem
Re:Why don't the BB companies enforce TOS? (Score:3, Informative)
Spam botnets now have so many client machines that Joe Spammer only needs to send out 10 or 20 messages per system per day, and he sends them out slowly.
As soon as a solution seems "obvious" to "everyone", the spammers have moved on. I work for a university, looking after IT Security. We still get people ask us why we don't do bayesian filtering on our ~700,000 emails per day (hint: when 85% of your email is spam, it doesn't help much) or OCR (1: CPU load++, 2: spammers now use animated gifs with noise, split in the middle of rows and re-layouted with HTML).
re: Image spam? (Score:3, Interesting)
(I'll echo others here: where is the threading?)
The problem is, spam isn't just an image now. It's:
Throw in random prose, and you're not only tricking rules-based filters, but de-training bayesian filters.
Whitelisting is the only long-term answer (Score:3, Insightful)
Reputation systems that assert "x is not a spammer", perhaps with some delegation, is the only long-term answer. Blacklisting was a decent heuristic for a while, IMHO, but it is now approaching end of life.
But whitelisting will require authentication. Are you openpgp-signing your mail yet? If not, then you're part of why whitelisting can't take take off yet. You're part of the spam problem.
BTW, one thing I don't get about image spam, is how they get the receivers to look at the image. When I receive a spam, especially one with a lot of nonsense text, it doesn't even occur to me to examine the attachments. It's not so much paranoia about a libpng buffer overflow or something, as it is lack of curiosity.
All I can think of, is that there is some popular email client out there, which shows attached images automatically whether or not the user expressed an interest in the attachments. If that's what's happening, then that email client needs a patch.
Filter on MIME type multipart/related and .gif (Score:5, Interesting)
Translate rules as necessary for your favorite mail client.
Re:Greylisting helps (Score:3, Insightful)
1/3 less spam is still waaaaay too much spam. I'm afraid that even though greylisting is a smart trick, it's not sustainable. Then again, I'm beginning to believe there's *NO* long-term way to slay SPAM, that it will be a permanent back-and-forth battle for years or decades.
image based spam (Score:3, Informative)