Spam Doubles, Finding New Ways to Deliver Itself 486
An anonymous reader noted that the times is running a piece on the rise in spam that you might have noticed in your inbox over the last 6 months. Gates promised the end of spam by 2006, but they figure it's doubled in the last few months. And best of all, a huge percentage of spam is now images that circumvent traditional text analysis.
Picture spam (Score:4, Interesting)
I'm very surprised these all come through the gmail spam filter. By now it should be easy to identify them.
End of spam by 2006? (Score:1, Interesting)
Another problem (Score:5, Interesting)
While email spamming is still the main problem, it would be nice to see the mainstream media realise that there is a growing danger in people exploiting community websites nowdays, because all it takes is for one of these operations to install enough spyware/get traffic from sites/top search engines for banking/insurance etc websites, then they will start taking consumer's data faster than spam would - all without the majority of customers realising, because they think the main threat is in their inbox.
Re:Picture spam (Score:2, Interesting)
"Maybe it would be possible to OCR every image as it comes through"
It is [apache.org].
Re:ban images? (Score:5, Interesting)
HTML in e-mail was never standard functionality anyway. E-mail is a text medium, which has grown in some ways without growing the infrastructure to go with it.
HTML e-mails annoy the hell out of me, mainly because for a long time I was quite content to use older e-mail clients that didn't support them. But that's not what I was lamenting.
I was lamenting how anti-spam measures have made e-mail less and less useful. It was drowned out by the righteous replies of "I'll do whatever I want with my mail server". You can do whatever you want with your own server. But I'm allowed to lament the fact that e-mail has become less and less useful.
It seems to me that there is no technological solution to this problem as long as it remains profitable to SPAM. Any technological solution is short lived (i.e: arms race) and will have at least some negative effect. Can't we take away the financial motivation to SPAM? Go after the companies whose products are being sold? The spammer may or may not be offshore or may or may not be using zombies but if that spam message is to be successful then it has to point me at a product. Go after that product!
That's probably naive of me and smarter people then I have attempted to solve this problem. Still, I miss the days when I could just put up an e-mail server and all it had to do was deliver messages to my users. It wasn't the servers job to care about what was in the message -- it was the clients.
Re:Image spam? (Score:5, Interesting)
It's nothing for the spammers to analyze a captcha, even if they want to. But for every obfuscated image they send to you, you've got much fewer resources to try and analyze it. Even if you build a monster mail transport (muchos dinaros) they'll just bot a few more idiot machines and overwhelm you.
In fact, that's apparently a new tactic some of the more scummy spammers have been taking. If your filtering/tarpitting is TOO good, they'll just unleash the whole botnet onto you and crash your mail servers until such time as you see that it's better to take their crap than try to fight them. I've seen admins complaining about it on NANAE.
It seems outrageous to say this in relation to something as "unimportant" as email... but I really, truly wish we'd start seeing some fatalities amongst the spammer set.
Re:One viable alternative (Score:1, Interesting)
If you run your own mail server, it's worth checking out.
Re:ban images? (Score:4, Interesting)
This happens today with email viruses and botnet attacks, and don't think that it wouldn't happen if you attacked products advertised in spam.
Re:Spam is a non-issue for those in the know. (Score:3, Interesting)
I beg to differ. My limited distribution email scheme has been completely foiled by email list selling (by companies I deal with, including pseudo-government departments) and by worms which have harvested emails in the past. Heck, it only takes a single one of my "trusted" contacts (close friends, family) to decide to forward a message to a group with the list recipients viewable and then any of those people who get a virus will let that email into the wild.
I'm tempted to can the whole partitioning of emails altogether and go back to a single email. The system used to work before there were spam filters, and when I could trust the party on the other end. Since both of those are now false, I may as well just simplify.
Re:Fuzzy OCR (Score:3, Interesting)
Who is responding to spam? (Score:2, Interesting)
Re:ban images? (Score:3, Interesting)
No joke. HTML in email is a lesson in frustration when trying to design an E-Newsletter or some such marketing thing. Though, once you get your feet dirty, you start to know what you can and cannot do easily.
However, I do appreciate HTML emails and they have good uses. It's cost-effective and a great way to deliver attractive marketing messages to customers. Of course, that's when I (or one of my companies customers) ask for that email. Spam sucks. But we don't want to screw over all the people who use it for good purposes. As it is, my Gmail account seems to be handling spam pretty well.
Cheers,
Fozzy
Re:anti-spam tactics now anti-filter (Score:1, Interesting)
I have the solution to spam: we start executing stupid people.
"Normalization of deviance" (Score:4, Interesting)
When and why did we accept needing elaborate programs to throw away our email before we looked at it? When and why did we accept not being able to send files in email, after spending years defining and implementing MIME?
There have been cities that got so accustomed to street crime that people starting blaming the people who got attacked instead of the criminal. When and why did we get to the point that someone could tell a normal (and savvy) user of email
>You don't have to be a complete fucking tool you're entire life you know.
?
Not that I have a solution, I'd be out getting rich if I did.
Re:Wrong. (Score:3, Interesting)
One down [wired.com], 124 to go [spamhaus.org].
Not that I'd ever advocate anyone doing anything illegal, of course. But I just can't seem to be able to shed any tears for Mr. Kashnir. I doubt many are.
Re:WE INVITE YOU TO COME SEE THE 2020 (Score:4, Interesting)
Of course now that the spammers know this, they're moving around the letters, putting in noise, and throwing various geometric shapes into the background to confuse the OCR.
The bad thing is, at this point the only thing they're able to use it for is trying to pump up a stock. Any links and we'd kill it dead really quick. It boggles my mind that people could possibly take a "stock tip" from a picture of jumbled up, scrambled words with all sorts of triangles and circles in the background.
Graylisting + Honeypot DB = goodbye spam (Score:3, Interesting)
No filters (text or otherwise), no false positives, hundreds of spam messages arrive at my server every day, and approximately 1 a day gets through. I can live with that. Sometimes, a legitimate email will get delayed by several hours. Since I often don't check my email for hours at a time, I can live with that too.
I'm sure there must be some problem that keeps this solution from being widely deployed. But if you're geeky enough to run your own mail server, give it a try. It sure beats fussing with all those filters and crap.
Has there been an increase in spam? Huh. I didn't notice.
Re:One viable alternative (Score:3, Interesting)
I wrote my own greylister (<plug>Spey [sf.net]</plug>) and it works really well. (I will also point out that people who complain about it making email too slow have a major education problem --- email doesn't guarantee anything about delivery times. If they rely on the email being delivered within a certain amount of time, then they'll be screwed when that doesn't happen for completely legitimate reasons. But anyway.)
So far I've only had one false positive: Yahoo Groups. They have this brain-damaged system which probes to see if an email address is valid when you subscribe to a mailing list. Unfortunately, the probe mechanism, which is a bad idea at the best of times, is broken and doesn't retry after getting a 451 Try Again Later. This violates the RFC, of course. I've tried to complain, and find myself unable to contact an actual human. Whitelisting *@returns.groups.yahoo.com fixes this.
Re:It's the bottom line, stupid! (Score:5, Interesting)
So if you, as a spam recipient, play along with their stock game, you can make money, while helping drive up the price for the spammers to make their profit.
As for buying spammed products, I've long held the opinion that no one need to buy any products for the spam to keep flowing. Much like the pump and dump schemes, I get the feeling that a lot of spam originates from people paying for 'internet marketing' services touted in various 'get rich on the internet' programs. So the actual money-making product is the 'service' that's being sold to those down the chain.
Re:WE INVITE YOU TO COME SEE THE 2020 (Score:5, Interesting)
This never works, simply because the scammer has such an enormous volume of the stock pre-purchased that they can easily undercut your selling price on the market while still making a profit, and hence their stocks will always be dumped before yours are. Of course, in theory, if you have an even larger volume, and can undercut them, you could profit. That would, however, technically mean you are now the pump and dump scammer, even if they do all the work for you.
Re:Wrong. (Score:5, Interesting)
(x) Nice try, assh0le! I'm going to find out where you live and burn your house down!
Incidentally I've found a post [slashdot.org] detailing the origins of the form if anyone's interested.
Missing option. (Score:3, Interesting)
with a while back. It's a hybrid legislation and
vigilante approach in which the law legalises one
very specific form of vigilanteism:
Here is my law:
Make it not illegal to send hot cheques or
bogus credit card numbers to spammers.
This permits a kind of reverse spam. We know that when
some item is offered for sale via spam, only a very tiny
percentage of people respond to buy the stuff. If outraged
recipients were allowed to send bad cheques and incorrect
credit card numbers to these bozos, they would fall victim
to the exact same set of problems that we suffer...that
of separating good money from reverse-spam that we would send
to them.
Just as it doesn't take many respondants out of the millions
they spam to make a profit, it doesn't take many of the
millions of victims to send a bad cheque or a bogus credit
card number back to the spammer to mean that they have to
chase down hundreds of bogus payments just in order to collect
a handful of actual payments.
They could try increasingly sophisticated ways to 'filter'
our reverse spam - but we'd find ever cleverer ways around
that.
Well - it probably wouldn't work - there is bound to be a
flaw - but it brings a smile to my face to imagine the
spammer sitting with a million dollars worth of orders
made up of 20,000 cheques for $50 each - knowing full well
that only five of them are real and that the only way to
tell the difference it to attempt to cash each one of them.
He's made several hundred bucks from the idiot buyers - but
in order to cash their cheques he's got to pay in 19,995 bad
cheques - and because of my law, he's got no legal recourse.
If he fails to cash the handful of legitimate cheques, he
upsets his 'real' customers who bought something that didn't
ever arrive...yeah, their cheques didn't get cashed - but
they'll probably think twice about ordering stuff that was
promoted via Spam the next time.
Banks and credit card companies seeing the cost of
bouncing very large numbers of cheques and credit card
numbers would pretty soon impose a hefty surcharge onto
their banking fees for doing this - and voila! No more
direct sales spam!
Actually, I wonder whether it's even necessary to have
the law. Merely having a few tens of thousands of people
ask questions about the product - sending empty envelopes
that need to be opened, slashdotting their web servers, etc.
Anyway - feel free to shoot this idea down in flames too.