Spam Doubles, Finding New Ways to Deliver Itself

An anonymous reader noted that the times is running a piece on the rise in spam that you might have noticed in your inbox over the last 6 months. Gates promised the end of spam by 2006, but they figure it's doubled in the last few months. And best of all, a huge percentage of spam is now images that circumvent traditional text analysis.

Picture spam

[millwall]

The picture spam not caught by the gmail spam filters that I receive all look very very similar. Randomly generated sentences with buzz words and a "picture text" haussing a certain stock.

I'm very surprised these all come through the gmail spam filter. By now it should be easy to identify them.

End of spam by 2006?

[ThiagoHP]

Bill Gates was never good at guessing what the future would be. Who would need more than 640K of RAM? Vista would not even run with good performance and all the bells and wistles with one thousand more RAM than that . . .

Another problem

[Sv-Manowar]

Good to see them documenting the rise of email spamming, but I'm suprised the article doesn't talk more about the spammers who are running amock across websites rather than people's inboxes nowdays. While the problem of email spam is still growing, it has pretty much always been there and the public are fully aware of it (with mainstream services such as Gmail offering spam protection, etc), the huge rise at the moment is the amount of web applications and sites that are being exploited. Take for instance Youtube (with many of the most popular videos having their comment threads spammed hard), or any mainstream forum software (most commonly phpBB), where spam bots are continually developed to get around registration methods (including OCR) and then spam the forum with either their profiles or posts. Not forgetting the guestbook spamming which many of the people behind these use for SEO purposes, so they can get phising or product selling pages to the top of search engines (even if it is for a day or so before they are penalised/blacklisted).

While email spamming is still the main problem, it would be nice to see the mainstream media realise that there is a growing danger in people exploiting community websites nowdays, because all it takes is for one of these operations to install enough spyware/get traffic from sites/top search engines for banking/insurance etc websites, then they will start taking consumer's data faster than spam would - all without the majority of customers realising, because they think the main threat is in their inbox.

Re:Picture spam

[choongiri]

"Maybe it would be possible to OCR every image as it comes through"

It is [apache.org].

Re:ban images?

[Shakrai]

HTML in e-mail was never standard functionality anyway. E-mail is a text medium, which has grown in some ways without growing the infrastructure to go with it.

HTML e-mails annoy the hell out of me, mainly because for a long time I was quite content to use older e-mail clients that didn't support them. But that's not what I was lamenting.

I was lamenting how anti-spam measures have made e-mail less and less useful. It was drowned out by the righteous replies of "I'll do whatever I want with my mail server". You can do whatever you want with your own server. But I'm allowed to lament the fact that e-mail has become less and less useful.

It seems to me that there is no technological solution to this problem as long as it remains profitable to SPAM. Any technological solution is short lived (i.e: arms race) and will have at least some negative effect. Can't we take away the financial motivation to SPAM? Go after the companies whose products are being sold? The spammer may or may not be offshore or may or may not be using zombies but if that spam message is to be successful then it has to point me at a product. Go after that product!

That's probably naive of me and smarter people then I have attempted to solve this problem. Still, I miss the days when I could just put up an e-mail server and all it had to do was deliver messages to my users. It wasn't the servers job to care about what was in the message -- it was the clients.

Re:Image spam?

[Brandon Hume]

The problem is mainly that the spammers have an absolutely IMMENSE amount of stolen processing power available to them. Botnets with hundreds of thousands of hosts, and many of those PCs have just as much, if not multiple times more processing power than any common server in your rack. Your mail server is built for reliability and I/O, and has a much longer life cycle than a desktop.

It's nothing for the spammers to analyze a captcha, even if they want to. But for every obfuscated image they send to you, you've got much fewer resources to try and analyze it. Even if you build a monster mail transport (muchos dinaros) they'll just bot a few more idiot machines and overwhelm you.

In fact, that's apparently a new tactic some of the more scummy spammers have been taking. If your filtering/tarpitting is TOO good, they'll just unleash the whole botnet onto you and crash your mail servers until such time as you see that it's better to take their crap than try to fight them. I've seen admins complaining about it on NANAE.

It seems outrageous to say this in relation to something as "unimportant" as email... but I really, truly wish we'd start seeing some fatalities amongst the spammer set.

Re:One viable alternative

[Anonymous Coward]

I use greymilter for sendmail with a ten minute retry period, and I have *zero* spam. I see it blocking around 400 spams a day and I have *no* false positives.

If you run your own mail server, it's worth checking out.

Re:ban images?

[aaronl]

Unfortunately, if you go after the product the spam offers, then it turns into a vehicle to damage a third party. Now when someone doesn't like a company/product, they will pay to have a few millions spam messages sent out, and destroy their competition. Or they will threaten to do the same if said company doesn't pay a large amount of money.

This happens today with email viruses and botnet attacks, and don't think that it wouldn't happen if you attacked products advertised in spam.

Re:Spam is a non-issue for those in the know.

[Overzeetop]

having separate public and limited-distribution email addresses helps, too

I beg to differ. My limited distribution email scheme has been completely foiled by email list selling (by companies I deal with, including pseudo-government departments) and by worms which have harvested emails in the past. Heck, it only takes a single one of my "trusted" contacts (close friends, family) to decide to forward a message to a group with the list recipients viewable and then any of those people who get a virus will let that email into the wild.

I'm tempted to can the whole partitioning of emails altogether and go back to a single email. The system used to work before there were spam filters, and when I could trust the party on the other end. Since both of those are now false, I may as well just simplify.

Re:Fuzzy OCR

[jannic]

I could just throw away every message containing an image, and the false positive rate would still be pretty low. And while doing that, throwing away every executable would be useful as well, to discard most of these stupid worms.

Who is responding to spam?

[geoffrobinson]

I want to see an article which tracks down the people who respond to spam and make this thing profitable. I'm sure it will take some investigative talent to find people willing to admit their behavior, but that would be interesting.

Re:ban images?

[Fozzyuw]

I want my email client to read/write messages, not the "web". It's bad that HTML emails exist ...

No joke. HTML in email is a lesson in frustration when trying to design an E-Newsletter or some such marketing thing. Though, once you get your feet dirty, you start to know what you can and cannot do easily.

However, I do appreciate HTML emails and they have good uses. It's cost-effective and a great way to deliver attractive marketing messages to customers. Of course, that's when I (or one of my companies customers) ask for that email. Spam sucks. But we don't want to screw over all the people who use it for good purposes. As it is, my Gmail account seems to be handling spam pretty well.

Cheers,
Fozzy

Re:anti-spam tactics now anti-filter

[Anonymous Coward]

The thing I don't understand is: who in the hell takes stock market advice from random emails? Even more so, who in the world would take stock market advice from an email that looks like that?!

I have the solution to spam: we start executing stupid people.

"Normalization of deviance"

[Beryllium Sphere(tm)]

We're all frogs being boiled alive because we kept getting used to the temperature as it went up.

When and why did we accept needing elaborate programs to throw away our email before we looked at it? When and why did we accept not being able to send files in email, after spending years defining and implementing MIME?

There have been cities that got so accustomed to street crime that people starting blaming the people who got attacked instead of the criminal. When and why did we get to the point that someone could tell a normal (and savvy) user of email
>You don't have to be a complete fucking tool you're entire life you know.
?

Not that I have a solution, I'd be out getting rich if I did.

Re:Wrong.

[ultranova]

The "proper" solution would be to find the jackass repsonsible for all this shit and beat him with in a inch of his fucking life.

One down [wired.com], 124 to go [spamhaus.org].

Not that I'd ever advocate anyone doing anything illegal, of course. But I just can't seem to be able to shed any tears for Mr. Kashnir. I doubt many are.

Re:WE INVITE YOU TO COME SEE THE 2020

[MBGMorden]

They did for a while. I use a filter (Spamassassin, Postfix, and Amavisd-new based) in front of my main mail server, and a plugin called "FuzzyOCR" uses several open source OCR techniques and could stop a lot of the image spam for a while.

Of course now that the spammers know this, they're moving around the letters, putting in noise, and throwing various geometric shapes into the background to confuse the OCR.

The bad thing is, at this point the only thing they're able to use it for is trying to pump up a stock. Any links and we'd kill it dead really quick. It boggles my mind that people could possibly take a "stock tip" from a picture of jumbled up, scrambled words with all sorts of triangles and circles in the background.

Graylisting + Honeypot DB = goodbye spam

[RonBurk]

I always feel a little guilty when I read people's spam problems. Graylisting plus a database of honeypot addresses (addresses fed to spammers that no human could have ever seen, a la the CBL) sure let me quit fussing with spam.

No filters (text or otherwise), no false positives, hundreds of spam messages arrive at my server every day, and approximately 1 a day gets through. I can live with that. Sometimes, a legitimate email will get delayed by several hours. Since I often don't check my email for hours at a time, I can live with that too.

I'm sure there must be some problem that keeps this solution from being widely deployed. But if you're geeky enough to run your own mail server, give it a try. It sure beats fussing with all those filters and crap.

Has there been an increase in spam? Huh. I didn't notice.

Re:One viable alternative

[david.given]

I wrote my own greylister (<plug>Spey [sf.net]</plug>) and it works really well. (I will also point out that people who complain about it making email too slow have a major education problem --- email doesn't guarantee anything about delivery times. If they rely on the email being delivered within a certain amount of time, then they'll be screwed when that doesn't happen for completely legitimate reasons. But anyway.)

So far I've only had one false positive: Yahoo Groups. They have this brain-damaged system which probes to see if an email address is valid when you subscribe to a mailing list. Unfortunately, the probe mechanism, which is a bad idea at the best of times, is broken and doesn't retry after getting a 451 Try Again Later. This violates the RFC, of course. I've tried to complain, and find myself unable to contact an actual human. Whitelisting *@returns.groups.yahoo.com fixes this.

Re:It's the bottom line, stupid!

[M-G]

And the problem is that it appears to work. For giggles, I've tracked a couple of these stocks. If you don't get too greedy, and get out before the spammers (presumably holders of large blocks of stock) dump, you can actually make a good return.

So if you, as a spam recipient, play along with their stock game, you can make money, while helping drive up the price for the spammers to make their profit.

As for buying spammed products, I've long held the opinion that no one need to buy any products for the spam to keep flowing. Much like the pump and dump schemes, I get the feeling that a lot of spam originates from people paying for 'internet marketing' services touted in various 'get rich on the internet' programs. So the actual money-making product is the 'service' that's being sold to those down the chain.

Re:WE INVITE YOU TO COME SEE THE 2020

[fosterNutrition]

It boggles my mind that people could possibly take a "stock tip" from a picture of jumbled up, scrambled words with all sorts of triangles and circles in the background.

The fact is that most people don't. The real reason these things are so popular is that everyone knows it's a scam. People then feel like they're "in the know," and hence that they can beat the scammer. The idea is that if you know it's a scam, you can buy stock and then dump it before the scammer does.

This never works, simply because the scammer has such an enormous volume of the stock pre-purchased that they can easily undercut your selling price on the market while still making a profit, and hence their stocks will always be dumped before yours are. Of course, in theory, if you have an even larger volume, and can undercut them, you could profit. That would, however, technically mean you are now the pump and dump scammer, even if they do all the work for you.

Re:Wrong.

[A beautiful mind]

I think this is the second time I posted the spam form, but just for you:

(x) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Incidentally I've found a post [slashdot.org] detailing the origins of the form if anyone's interested.

Missing option.

[sbaker]

Your form is missing an answer to the one I came up
with a while back. It's a hybrid legislation and
vigilante approach in which the law legalises one
very specific form of vigilanteism:

Here is my law:

    Make it not illegal to send hot cheques or
    bogus credit card numbers to spammers.

This permits a kind of reverse spam. We know that when
some item is offered for sale via spam, only a very tiny
percentage of people respond to buy the stuff. If outraged
recipients were allowed to send bad cheques and incorrect
credit card numbers to these bozos, they would fall victim
to the exact same set of problems that we suffer...that
of separating good money from reverse-spam that we would send
to them.

Just as it doesn't take many respondants out of the millions
they spam to make a profit, it doesn't take many of the
millions of victims to send a bad cheque or a bogus credit
card number back to the spammer to mean that they have to
chase down hundreds of bogus payments just in order to collect
a handful of actual payments.

They could try increasingly sophisticated ways to 'filter'
our reverse spam - but we'd find ever cleverer ways around
that.

Well - it probably wouldn't work - there is bound to be a
flaw - but it brings a smile to my face to imagine the
spammer sitting with a million dollars worth of orders
made up of 20,000 cheques for $50 each - knowing full well
that only five of them are real and that the only way to
tell the difference it to attempt to cash each one of them.
He's made several hundred bucks from the idiot buyers - but
in order to cash their cheques he's got to pay in 19,995 bad
cheques - and because of my law, he's got no legal recourse.
If he fails to cash the handful of legitimate cheques, he
upsets his 'real' customers who bought something that didn't
ever arrive...yeah, their cheques didn't get cashed - but
they'll probably think twice about ordering stuff that was
promoted via Spam the next time.

Banks and credit card companies seeing the cost of
bouncing very large numbers of cheques and credit card
numbers would pretty soon impose a hefty surcharge onto
their banking fees for doing this - and voila! No more
direct sales spam!

Actually, I wonder whether it's even necessary to have
the law. Merely having a few tens of thousands of people
ask questions about the product - sending empty envelopes
that need to be opened, slashdotting their web servers, etc.

Anyway - feel free to shoot this idea down in flames too.