What's With All This Spam?

coondoggie writes to mention a Network World article about soaring spam levels, confirmed now by researchers, IT managers, and security vendors. So, indeed, it's not just you: October was a spammy month. From the article: "Levine's assumption is this spike in spam levels is a result of a new generation of viruses and zombies that can infect PCs more quickly and are harder to get rid of. In its October report, messaging security vendor MessageLabs says the spike is largely due to two Trojan programs, Warezov and SpamThru. Others say a new breed of spam messages called image spam -- messages with text embedded in an image file that evade spam filters, which can't recognize the words inside the image -- is responsible." A note: I have no interest in penny stocks.

Commission

[GlobalEcho (26240)]

One thing that has always bemused me about the penny stock spams is the brokerage fees. If you pay, say, 1 1/2 cents per share in brokerage, (thus 3 cents total for buying and eventually selling), your 15 cent stock trade is 20% in the hole the minute you do it.

I use GMail

[Com2Kid (142006)]

What spam? I get maybe 1 or 2 spam emails in my actual inbox each week.

Oh, my spam folder? Over a hundred a day, but as I recall, Gmail has miscategorized maybe 2 or 3 messages as spam during the entire time I have used it. Unless I am expecting something, I rarly check the spam folder at all.

Bayesian training

[CRCulver (715279)]

I use SpamAssassin and train it regularly against obvious spam. I've heard that this new crop of spam GIFs accompanying seemingly-normal text is mean to get through or even de-train Bayesian filters, but wouldn't SpamAssassin be able to recognize that one common thing about all these messages is an attached image file, and so consider that a spam marker? I read my mail as plain text in Gnus, and most people I correspond with avoid HTML mail and image attachments, so it wouldn't be a problem for me if GIFs or PNGs went straight to /dev/null.

Ameritrade

[masterz (143854)]

Many of these stock spams have been going to people who have accounts at Ameritrade. It is likely that their email list has been stolen. See http://www.billkatz.com/node/77 [billkatz.com] for details.

Domain owners: Set up SPF NOW!!!

[GWBasic (900357)]

Domain owners: Set up SPF NOW!!!

I set up SPF on my domains and the number of bounces from spoofed SPAM dropped dramatically.

Do not wait any longer, do your duty to the internet community: Set up SPF NOW!!!

Reverse OCR

[mwilliamson (672411)]

At work we use spam assassin with a gpl OCR plugin, however, it's getting foiled by intentional added noise in the images. I propose we come up with a way to detect these non-character elements (noise) in the associated spam images instead of just trying to OCR the text. The noise I've seen seems to be like it should be easily detectable.

"Begun, this Captcha Wars has."
-Yada

Don't be so smug

[Kris_J (10111)]

I barely get any spam either, but my ISP's mail servers are so choked with the stuff that real emails are being delayed by as much as two and a half days. So all of you who say "What spam?" need to be aware that, unless you only send messages to yourself, it's a real problem for everyone.

SpamAssassin is too costly.

[caluml (551744)]

I can't afford the CPU power to let it check all messages in SpamAssassin. So I have to ditch many of them based on Netblock, Country, IP address, invalid EHLO, claiming they're "localhost" or "friend". Only then, after binning about 99% of connection attempts, do the remaining have to run the SpamAssassin gauntlet.

Most of mine get binned with a 554 "You're not localhost"

Some spammer is using an email address of mine to send spam from. So I get the people writing back, asking why I am sending them spam. And another of my domains is obviously listed somewhere as a domain where guessing user accounts might be a good idea. So I get cqoiecn@mydomain.com, zqopqwn@mydomain.com, etc. It all just sucks. I'm currently getting about 10 spams per minute.

Re: Sender Stores systems.

[dominion (3153)]

I'm working on a sender stores system for a distributed social networking software called Appleseed [sourceforge.net] based, in theory, on Internet Mail 2000 [im2000.org]. I figured early on that since the system was distributed, which means that anybody could set up an Appleseed social networking "node", that it would suffer from the same problems as any mail system if I used the standard reciever-stores system.

I don't harbor any illusions about a sender stores system being able to eliminate spam entirely, but the reason I went with it, especially after reading this indepth critique [psg.com], was that it created a system of accountability. You may not be able to stop spam, but you have much better tools for knowing exactly where the spam came from.

The disadvantage is that it becomes, ideologically anyways, incompatible with current email systems. I consider this a small price to pay to allow admins to have better control and protection over their systems.

The system I'm building is rudimentary for now, and only uses direct HTTP->HTTP connections to send notifications and retrieve messages, and won't have any of the fancy abilities that email has right now, but it's a start, and there's no reason that those features can't be added as it evolves. It's gonna be a big experiment, and I'm expecting a whole lot of unforseen issues, but this whole project is a big experiment, so I'm excited about the possibilities in general.

i have no confirmed proof other than ethereal logs

[Neuropol (665537)]

but i just recently had an older d-link wireless router that got infected with some thing that turned it in to a spam bot. it was using the router as the spam generation unit. sending out packets to and from the most random addresses. stuff that could no doubt be spam oriented. I captured about 100MB of logs pertaining to the whole issue. it even managed to block numerous updates to the firmaware. and would not allow itself to factory default. it's like it had a hwole other firmware implanted in it and was taken control of.

Not just october

[Njovich (553857)]

At my ISP, there is even more spam in November [stats.bit.nl].

Essay / Short Story Spam

[QuantumG (50515)]

I often get email that contains no advertising, contains no links, has no attachments, but is definitely not written by a human and does not convey any useful information. Often this is in the form of a short story. Sometimes it is in the form of an essay. In either case, it looks like it is generated with simple probablistic markov chaining. As such, my spam filter accepts it and I have to manually delete it. Is this just nuisance spam? What does the sender get out of it? Seems pointless, and that's pretty scary to me. I can understand being annoying so you can sell more of your product to idiots on the internet, but being annoying just for the sake of it?

SPF

[by Anonymous Coward]

The moron moderator who rated "Domain owners: Set up SPF NOW!!!" as offtopic needs to get a clue. SPF: Sender Policy Framework [openspf.org] is used so you can filter out forged mail. The recent flood of stock-pumping spam used many forged domains in the "from", and if you filtered on SPF, you wouldn't have seen as much spam.

I might add, it would be nice for people to REJECT spam rather than BOUNCE it. When you bounce it, innocent domains get an email complaining about the forged email. With these spambots, it adds up quick! Doing a reject also allows legitimate senders to discover their email was not delivered.

SPF

[caluml (551744)]

Another user mentioned SPF. This is good. You configure a TXT record in your DNS, which says to the world, unless emails claiming to come from mydomain.com come from mail server a.b.c.d, or w.x.y.z, then bin them. It doesn't reduce your spam, but it prevents people being able to use our domain in the from address to send their spam, meaning you get fewer bounce-backs/user not found emails. (It can mess up forwarding though.)
But I haven't got it working in Postfix yet, so I can't benefit from other's SPF records.

Greylisting helps

[FliesLikeABrick (943848)]

Since most of this spam is sent by zombies, they care nothing about the success rate of the delivery. They just pump out thousands/millions of spam messages, hit each e-mail address once and move on. If it fails or appears to fail then it just moves to the next since single-digit success rates still result in thousands or millions of free advertising for the spammer.

As a result, using greylisting results in filtering a HUGE amount of spam out since it fakes a temporary failure from any new server connecting and waits for the server to try sending the mail again after a defined delay (according to the RFC, mailservers are supposed to try sending again if they get this temporary deferral).

I set this up on my primary server (ubuntu with postfix) and saw a 99% decrease in spam since none of the zombies care enough to try connecting again. By the time a zombie gets upgraded to be wise enough to evade this, it is likely to fail all kinds of other spam tests anyway (referring mainly to blacklists, though blacklisting can be extremely evil by nature).

If you run a mailserver, definitely look into setting this up. The wikipedia article explains the low-risk nature and exactly how it works: http://en.wikipedia.org/wiki/Greylisting [wikipedia.org]

Pump and dump

[Ritz_Just_Ritz (883997)]

I run a small, but publicly traded company. Recently, I was contacted by a "PR firm" about "promoting the stock" of my company. Normally, I just hang up, but he mentioned a few "success stories" which seemed to correlate to some of the recent spam that had slipped through spamassassin. So I got his contact details and said since I was really busy "could he please email a summary of what we'd just talked about" (which he did).

I then called the enforcement division of the SEC and said I had the name and contact details for a company that was responsible for sending a number of unsolicited pump/dump email spams to me. I also told them that I had email from the spammer himself confirming that they'd done the deed. It wasn't some innocent bystander, but the people that actually SENT the mail. I was sent to a voicemail box and assured that I'd be called back. It's now about 2 weeks later and nobody ever called me.

And people wonder why there's so many of these vermin...uh, it's practically impossible to get caught!

Filter by IPs

[BerkeleyDude (827776)]

Spammers put garbage in the message body, subject, other headers, etc. in order to fool the spam filters - and unfortunately, they are often pretty successful.

But one thing they cannot change is their IP addresses. I wrote a script to parse my mail and save the IP addresses (or more precisely, their first two numbers - e.g., 213.186) that appear in spam messages, but not in normal ones. Then, I run another script on my incoming mail - which marks the message as spam if it contains a blacklisted IP address.

I update the list of IPs once in a while, and it works pretty decently. Right now, I have about 4,500 items in the list - each one corresponding to a range of 256^2 IP addresses - so it's about 7% of the whole address space (kinda scary). It blocks about 2/3 of spam, with almost no false positives. Most of my spam is also marked by the SpamAssassin (or whatever the mail server uses) and automatically moved into the spam folder, so I just run the script once in a while, and it "learns" on its own.

In case you're not getting enough...

[mgkimsal2 (200677)]

spam, due to all the filtering, I'm starting a collection. You can watch my spam at http://www.watchmyspam.com/ [watchmyspam.com] RSS feeds and a mailing list are coming soon - we're still in beta right now...

Domain owners: Don't bother

[jdh28 (19903)]

SPF is not actually the silver bullet you think it is [advogato.org].

SPF Does Not Seem to Work

[carpeweb (949895)]

I noticed a few SPF comments (can't reply directly to them due to the new /. "system" that seems to prevent threading).

I have not noticed that it helped at all in my case. I have a postmaster account set up with my host that catches all the replies to spams that are sent spoofing my domain. The number seemed to drop in the first week or so after I set up SPF, but it's now back up to an average of 500-1000 per day, and that's just the automated replies I'm seeing.

I assume the number of spams being sent is much higher, by orders of magnitude.

From the other comments, it seems possible that I'm misinterpreting the responses. Are they merely an indication of "success"? In other words, are they all just automated responses from the mail servers that correctly figured out (via SPF) that someone was spoofing my domain? This seems illogical, since I'm not sure why a mail server that figured this out would bother with an automated response. Such a policy would double the traffic associated with each "success", which is why it seems illogical to me.

In addition, of course, I see "out of office" and similar replies from individual mailboxes. Are these merely the indication of mail servers that have not implemented SPF on their (receiving) end? While that doesn't seem illogical, it seems just too easy. In other words, this issue has made me a little paranoid, and I just want to make sure I'm not relying overly much on SPF.

Are there other tools I could/should be using?

BTW, I've never, ever received a spam that spoofed a real domain of a large organization. I've seen lame phishes like paypal5.com, but never anything exactly like paypal.com, for example. It's hard to believe that the big guys are 100% successful with just SPF. Am I just being paranoid again?

Thanks in advance!

At QuantumG - Short Story SPAM

[goofy183 (451746)]

These are meant to poison filters. The idea being if they send a lot of messages with text they know that don't look like spam they can poison the filters and later use those known words/patterns to get real spam through the filter. There are likely other bits they are trying to poison as well with the non-SPAM SPAM messages.

Tell the truth

[grcumb (781340)]

Is there any chance whatsoever that we might somehow convince people to start telling the whole truth?

Levine's assumption is this spike in spam levels is a result of a new generation of viruses and zombies that can infect PCs more quickly and are harder to get rid of. In its October report, messaging security vendor MessageLabs says the spike is largely due to two Trojan programs, Warezov and SpamThru.

This description is almost a lie. This is not malware for PCs. This is malware for Windows. Not Linux, not 'PCs', Not Mac, Not Amiga, BeOS, Wind River, Next, BSD... whatever.

I'm not bashing, creating FUD or anything else. This Is Not A Trap. I'm just sick and tired of being painted with the same brush as Windows. The 'PC Virus' term is misleading; it makes my life a lot more difficult when I have to go to great lengths to explain to people that, actually, almost all of this malware only affects Windows and the software that runs on it.

Try to imagine how Bayer would have responded if the poison Tylenol scare in the late 80s were characterised in the media as 'poison headache remedy'? They would have freaked, and consumers would have, too. Journalists have a duty to report accurately and completely on issues that affect us, and this intellectual laziness is starting to look more and more like dishonesty as time goes on.

Re:Domain owners: Set up SPF NOW!!!

[by Anonymous Coward]

I used to work for a spam company. They would buy 10 domains a week at $5/domain (reseller license). I setup SPF records for all of those domains because it would reduce the spam score at some ISP's if mail came from a domain with a valid spf record. We were making $20k/day, so the cost of buying a domain was minimal. SPF records aren't quite used the way they should be.

Re:Tell the truth

[Large Green Mallard (31462)]

Mmm well. I work in IT Security for a university.. we're used to seeing random PC's get infected with stuff and sending out spam. We were surprised when a few weeks ago we saw our main linux shell machine sending out 14000 spams in an hour. Investigation showed that the spam kiddies had found out login details and setup a perl script to send spam from it. We've also seen it before from MacOS X machines running SSH with weak passwords.

In other words, I suspect it's probably not a great long term plan to be smug about windows vulnerabilities causing all of the problems. It will continue to be one, for sure, but the spammers have other tricks which are contributing to the problem :/

Filter on MIME type multipart/related and .gif

[Cid Highwind (9258)]

If content type is "multipart/related"
And:
Any attachment name contains ".gif"
And:
Sender is not in my address book
Then:
Move message to folder "Spam Can"

Translate rules as necessary for your favorite mail client.