Spam is Back With A Vengence

Ant writes "The Red Tape Chronicles reports that just last December (2006), the FTC published an optimistic state-of-spam report. It cites research indicating spam had leveled off or even dropped during the previous year. It now appears spammers had simply gone back to the drawing board. There's more spam now than ever before. In fact, there's twice as much spam now as opposed to this time last year. And the messages themselves are causing more trouble. About half of all spam sent now is "image spam," containing server-clogging pictures that are up to 10 times the size of traditional text spam. And most image spam is stock-related, pump-and-dump scams which can harm investors who don't even use e-mail. About one-third of all spam is stock spam now."

Use FuzzyOCR and be mostly done with image spam

[BigJim.fr]

Last month I installed the FuzzyOCR on my Spamassassin setup it and I can now testify that rare is the image spam that gets through. I wrote a article about it if you want more detail : http://serendipity.ruwenzori.net/index.php/2006/12 /19/fuzzyocr-hits-debian-unstable-and-eradicates-i mage-spam [ruwenzori.net]

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Spam spam spam spam. Lovely spam! Wonderful spa

[Smallpond]

Score:1, Redundant

By definition, shouldn't any post about spam be marked redundant?

Anyway, I run a mailserver. What I see is surges of email for whatever happens to be the current scam. Last year it was mostly mortgage offers (Get a cheap, misspelled mortqaq3 today!!!) Spamassassin + RBLs eliminate about 70% of the flood. Image-only email is flagged by spamassassin. Now random text is added to get past the Bayesian filters. The arms race continues.

BTW, if you are the type to send copies of spam to abuse addresses, I advise you to remove identifying info and post it through an anonymous account to avoid retaliation. ISPs tend to forward it to the spammer.

Spam filters can still cope

[gvc]

The volume of spam is definitely up, and most of it is pump and dumps from a very few distinct sources. In December, about 20% of the 30,000 spams I received were for one particular stock.

http://it.slashdot.org/article.pl?sid=06/12/21/231 4241 [slashdot.org]

But it is wrong to say that this new spam requires radical new filtering techniques. That's what the spam solution vendors (whose press releases drive these /. articles) want you to believe so you'll buy their products. In general, word salads, obfuscated words and image spam do not defeat state-of-the-art statistical filters.

See, for example, the recent TREC tests: http://plg.uwaterloo.ca/~gvcormac/trecspamtrack06 [uwaterloo.ca]

These results show that filters achieve about the same results on 2006 spam as on 2004 spam, and those results are pretty good. Ongoing tests show that the effectiveness of filters is unchanged for 2007. In general, the volume of spam has increased, and spammers have tried various methods of defeating spam filters. But their efforts have not been particularly successful against statistical filters.

Re:SpamAssassin still works

[antifoidulus]

SpamAssasin is great, but it only solves part of the problem. We installed SpamAssasin where I work in July and it's a good thing we did it then, we have seen the spam we receive on a daily basis rise at an exponential rate starting in August(we have maybe 100 or so users). It does solve the spam problem from the end users point of view, SpamAssasin has almost no false positives or false negatives, but the increased volume of spam has still caused headaches. The bandwidth is obviously one, but another is that we installed spamassasin on an older server, naively thinking we wouldn't see said exponential increase in spam. However, now that 90+% of the messages that we receive are spam, the machine is starting to struggle. We are still ahead, but the fear is that if this rate of growth keeps up, the messages will come in faster than we can process them, which means more spent on hardware, manpower, electricity etc. The costs of spam are really being forced on the users of email.....

In /. before

[pilsner.urquell]

This shouldn't come as a surprise to anyone One Last Spamhaus Warning Before The End [slashdot.org]

Re:Stock scam spams - 3n14rge yur SC0X ...

[that this is not und]

The images are being 'peppered' with background noise.

Not just Email Spam here

[erica_ann]

Not only am I seeing more Spam hitting my inbox.. I am seeing more spam on WordPress Blogs. This is where I am seeing the most problems.

The email server I use tags and filters spam, but the WordPress Blogs are filling up with Spam, plus it is clogging up MySql databases for comment spam that it uses all the processing power up - so the other services on the box as well as the webserver crawl to a slow. Even with other programs such as Akismet marking the comment psots as spam, the problem lies in the database being tied up.

Re:block .gif images?

[Anonymous Coward]

Go on try that... and your boss will shoot you. Mails from financial sites use gif attachments.

Solution to stock spam?

[Equuleus42]

Perhaps the SEC could require stock brokers and other companies issuing penny/OTC/pink sheet stocks to log whoever buys or sells them. There should be a discernible pattern among pump-and-dump traders that the SEC could backtrace to identify the perpetrator. I would imagine the perpetrator would not purchase the stock too far in advance, as market fluctuations during that time could make their scheme fail. They probably buy the stock only a few days or maybe weeks beforehand, and then sell immediately after the spike. Their initial purchase is probably sizable as well, more than your average investor. For most people who never deal with OTC stocks, their privacy is ensured. For those who do choose to deal with these types of stocks, it would be part of the cost of business for dealing in such a risky and crime-ridden market. The SEC needs to figure this one out sooner rather than later...

Re:SpamAssassin still works

[Anonymous Coward]

Put spamd with greylisting in front of SpamAssassin to take the load off.
See http://undeadly.org/cgi?action=article&sid=2006110 8134508 [undeadly.org] for details on how to do this as a transparent bridge.

Filtering is wrong

[Dion]

What you are doing to filtering, it is wrong because all it does (when it works) is to keep you from reading spam and cost you CPU time.

The bandwidth already been spent once the spam reaches your filter.

A much better approach (IMHO) is to use greylisting along with a few fast spamtrap driven RBLS, this way the mail doesn't even get transmitted to my server and I save both CPU, bandwidth and time.

Since I switched I have gotten a max of 2 spams pr. day, some days the count is even zero.

There are two reasons this approach is so great:
1) The greylisting on its own will weed out all the non-compliant MTAs, most spammers use zombies that don't care if their payload gets delivered, so they never retry.
2) The real MTAs that spam might get to me before hitting a spamtrap, but the greylisting tells them to come back a bit later, by that time they have hit one or more spamtraps and get blocked by an RBL.

I have yet to think of a way for spammers to defeat this scheme and the cost to legitimate mail is a 10 minute delay the first time someone sends me mail.

Re:The solution

[Firethorn]

Then you contact your ISP and make arrangements, after you convince them that you're not a spammer.

Fairly simply. Though today it should be able to tell the difference between legitimate bulk email* and spam

Such as mail-type discussion groups, business relations like people who want to receive tiger direct's adds, etc...

When you're having to post random segments of encyclopedias and put your actual message into an image to get through the filters, it's a clue that you're not wanted.

Those types I'd like to see shot. Heck, I'd shoot them myself.

Oh, and I don't believe that spammers are truly a dime a dozen. I think that if we removed the 10 worst spammers we'd drop spam in the USA by 50% or more.

Re:Spam spam spam spam. Lovely spam! Wonderful spa

[Tony Hoyle]

Rule 1: never forward spam, even to abuse addresses, and absolutely never to the 'unsubscribe' address.

The only exception I know of is spamcop as they're (I think) trustworthy.

SURBL

[bcrowell]

I implemented SURBL [surbl.org] recently, and it's helped a lot. Your filter extracts url's from the *body* of the e-mail, and checks them against SURBL's blacklist. The idea is that most spam is trying to get you to click on a link, and although they can forge the From: line, they're still constrained to give the address they want you to click on. This has been amazingly effective for me, and it's really nice because there are essentially no false positives. It won't necessarily work with pump-and-dump scams, though, since it's possible for them to say "buy SCOX," without giving a URL.

Re:Spam filters can still cope

[gvc]

there's a nice obvious "report as spam" button on every page

Indeed every mail provider should have such an interface: a trivial way to report filtering mistakes. But you over-estimate the value of everybody else's spam reporting. A filter based only on your own reporting can have a vanishingly small number of false positives, and a small number of false negatives. So small that the total amount of reporting you have to do is no more than for Gmail.

But many appliance manufacturers promote the scenario in which the user is not prepared to offer any feedback to the filter. It is much harder to achieve reasonable error rates in this mode of operation.

Bottom line: Gmail's filter is pretty good, but not better than the personal spam filters I've tested. I have yet to see a "hands-free" solution that is as good as one that uses feedback. The amount of feedback required is trivial.

Re:Stock scam spams - 3n14rge yur SC0X ...

[Reaperducer]

Better hope you never get a package from UPS, FedEx, etc... I forget which one, but there was an article a few years ago stating that one of the big delivery companies was developing a signature database.

Greylisting is so 2005 ......

[nblender]

Greylisting doesn't work anymore. You might block a few spammers but I do greylisting with the latest version of postgrey and I still wind up with about 50 spams a day that get through to my spamassassin... Spammers take non-fatal error returns and add them to the end of the list. X-Greylist: delayed 58065 seconds by postgrey-1.27 at xxxxx; Mon, 15 Jan 2007 10:58:49 UTC X-Greylist: delayed 48829 seconds by postgrey-1.27 at xxxxx; Mon, 15 Jan 2007 11:42:10 UTC X-Greylist: delayed 8054 seconds by postgrey-1.27 at xxxxx; Mon, 15 Jan 2007 13:18:46 UTC That's from my spamassassin folder.

Re:What I just don't get..

[funfail]

"You know how dumb the average American is? Well, half of them are even dumber than that."

That would be "median American", not "average American". Not that there is a big difference when min and max are so close and the size of sample set is so large but still...

Re:What I just don't get..

[CodeBuster]

How can one be so dense as to trust a completely random, badly worded, illarticulated e-mail full of spelling mistakes from someone you don't know to make informed decisions about what stock they should buy?

Greed can be a powerful motivator for some people, enough to overwhelm their sense, what little they have anyway, of logic and reason which tells them that this is a scam or that an investment promise is too good to be true. Why do people play the Lottery when they know or should know that they have a better chance of being struck by lightning on their way out of the liquor store? The appeal to greed is among the oldest in the charlatan's bag of tricks, it has worked for thousands of years and it will continue to work as long as there are humans on this planet to be duped. They know that spam is spam, but they want millions of dollars too and so they continue to get burned.

Re:The solution

[jfengel]

What I mean is, I'd like to change the protocol from:

Spammer: Here's some email
Server: Thanks! .. time passes ...
Server: Hey, this is spam! Let's send it to jfengel!

to

Spammer: Here's some email
Server: Screw you. It's spam. (or "There's no such person here. I reject it now rather than having to call you back using the forged header.")

I suspect that the SMTP protocol already supports that. But in general, SMTP is heavily oriented towards store-and-forward in an intermittently connected, unreliable network, passing mail at midnight when the rates were cheap. Maybe that's still a good mode to support, since not everybody has high-speed lines and the network is still unreliable, but TCP and the backbone have solved the problem without some of the problems that come from store-and-forward.

Re:Greylisting is intrusive; unknown fp rate

[dodobh]

Email has never been about "immediate, guaranteed delivery". Email can and will be delayed.

If you want immediate, use IM or make a phone call.

Not really

[Dion]

Two points:

1) Email has never been an instant messaging system, I've tried getting people to stop asking for an IRC/ICQ/MSN/AIM/whatever chat and just use email, but nobody listens.

2) Any mail server that doesn't retry when given a temporary failure code is broken and needs to be replaced, sooner rather than later.

In any case, I do review my mail logs (well I did the first two weeks of using the new system) and I saw exactly zero false positives.

The spamtrap driven RBLS I use all list and delist servers quickly, so they also cause no false positives, but if they ever do the user who sent me the unlucky ham will get a nice bounce message, so he will be able to retry the mail or call me.

I think getting bounce is much nicer than just having your mail eaten by a filter.

Greylisting + RBL

[Dion]

You seem to have missed the "+ RBL part".

Most spammers seem to hit a number of spamtraps with each zombie at some point, so using spamtrap driven RBLS in front of greylisting means that the RBLs will take care of the verified spammers.

greylisting gives the spamtraps some extra time to get hit, so rather than do actual blocking itself it augments the RBLs.

Re:Greylisting is intrusive; unknown fp rate

[mpe]

One of the great features of email is immediacy.

This is not in the spec.

I want that receipt for my airplane ticket right now, not in a few {minutes, hours, whatever}

Whilst this may happen there are plenty of reasons for it not happening. Including having outgoing email checked by a human being and sent as a batch job.

We have no way of knowing how many legitimate delivery failures are caused by greylisting. That's because, as the parent points out, messages are rejected a priori and there's no quarantine to check. If you reject and for whatever reason it is not retransmitted, your mail is lost.

Greylisting sends back a response which says "I can't process this now" try later. There are plenty of other reasons for an SMTP transaction to return this kind of response.

Maybe this "shouldn't" happen but it does, and it happens often enough that it is not entirely obvious that its false positive rate is less than that of a spam filter.

A "false positive" in this context is indictative of a broken MTA.

Re:Greylisting is intrusive; unknown fp rate

[Profane MuthaFucka]

That's exactly what I said. The beauty of the phone is that it's intrusive, it disturbs you, it interrupts you. Exactly the properties you want when you need to talk to someone right now.

Also, e-mail is not immediate. It can be delayed any amount that the intermediaries want, for example, because the dial-up process doesn't run again until tomorrow at noon. Or maybe because your firewall and censors haven't read it and approved it yet.

If you insist on calling e-mail immediate, then you just don't understand the technology.