Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Spam

Spam Catchers Block Latest Crypto-Gram 246

An anonymous reader writes "Bruce Schneier sent out a note about SpamAssassin and possibly other spam filters blocking his excellent Crypto-Gram newsletter. Fortunately you can get it here (early no less!)." Schneier's email reads, in part "Tomorrow I will be sending out the February CRYPTO-GRAM, as I do on the 15th of every month. In the process of creating this month's Crypto-Gram, I discovered that SpamAssassin thinks that this issue is spam, probably because of certain links and descriptions of scams in the text. I have anecdotal evidence that other spam filters block Crypto-Gram as well. ... I'd apologize for the inconvenience, but I'm not sure what I could do to make it less so -- I don't intend to alter my content to accommodate spam filters."
This discussion has been archived. No new comments can be posted.

Spam Catchers Block Latest Crypto-Gram

Comments Filter:
  • by Chris_Stankowitz ( 612232 ) on Sunday February 16, 2003 @12:50AM (#5312549)
    block that important e-mail I was waiting for on enlarging my....never mind, I have to check my e-mail now.
  • by Anonymous Coward on Sunday February 16, 2003 @12:52AM (#5312568)
    but why not distro the newsletter encrypted? then the spam filters wouldnt have anything to trigger the filters, and id say the target audience have the knowledge to unencrypt it when it gets there..
    • Sure. Assuming Schneier has the public keys of all his subscribers, AND the processing power to encrypt everything in a reasonable span of time. That second is a big if, considering the number of subscribers. It would be possible to use a symmetric algorithm and include the key in the message, but while most readers would have the knowledge to decrypt it, they would likely not have the software to do so easily, and so it would be much more convenient for them to just get the announcement and go check the website, as opposed to spending half and hour trying to find and configure software.
      • Is it possible to encrypt the Crypto-Gram article with Schneier's private key, then every one receiving it just use Schneier's public key to decrypt it?
      • Schneier could encrypt it with his own private key, which would allow anyone with access to his public key to decrypt it. This would also prove that the email is from him, provided you could trust the public key as being his.
    • There would be a tremendously large problem with encrypting the message to all of it's recipients...

      See, when you PGP encrypt some text, it is only possible to encrypt it to one person (one public key). That's just how it works, it's inherent in the encryption methods used; however, PGP and GPG get around this by duplicating the entire message for each public key that it is encrypted to.

      My point is that if you had a mailing list with 1000 subscribers, and you wanted to encrypt it, you'd basically be increasing the size of the encrypted message 1000-fold, because you need 1000 copies of the message, each encrypted to a given recipient. Obviously, this isn't feasable...

      What they could do, though, is sign the messages. I know SpamAssassin, at least, reduces a message's spam score if there is a PGP signature attached to it.

      However, if you were just trying to obscure the contents of the mail from the spam filter but not the user, you could just gzip the message and make it an attachment. I don't know how well that would go over with the spam filter, but at least it wouldn't find your m/blow.*job/s in the message ;)
      • See, when you PGP encrypt some text, it is only possible to encrypt it to one person (one public key). That's just how it works, it's inherent in the encryption methods used; however, PGP and GPG get around this by duplicating the entire message for each public key that it is encrypted to.
        My point is that if you had a mailing list with 1000 subscribers, and you wanted to encrypt it, you'd basically be increasing the size of the encrypted message 1000-fold, because you need 1000 copies of the message, each encrypted to a given recipient. Obviously, this isn't feasable...


        Actually it's trivial. You encrypt with a private key then anyone who has the public key can decrypt it.
        This is how PGP/GPG signing of a message works. You have a checksum encrypted with a private key, when you receive the message the software attempts to decrypt the checksum then compare it with what it has calculated the checksum to be. If the decryption fails the message isn't from the claimed source, if the checksum fails it has been altered.
      • See, when you PGP encrypt some text, it is only possible to encrypt it to one person (one public key). That's just how it works, it's inherent in the encryption methods used; however, PGP and GPG get around this by duplicating the entire message for each public key that it is encrypted to.

        Incorrect. When PGP or GnuPG encrypts a message with a public key, they really just encrypt the message with a symmetric cypher and a sufficiently long, random key. Then they encrypt the key with the public key. (The reason for this is that public key cryptography is much, much slower than symmetric key stuff.) So for sending to multiple recipients, all that needs to be added is some additional header data for each recipient.

        -rw-r--r-- 1 phil phil 212358 2003-02-16 13:01 original
        -rw-r--r-- 1 phil phil 90343 2003-02-16 13:02 one-recipient.gpg
        -rw-r--r-- 1 phil phil 90893 2003-02-16 13:04 three-recipients.gpg

        A better solution would still be to encrypt the message with a particular public key for which the private key was widely available. Encrypting the message with Bruce Schneier's private key makes sense cryptographically, but I don't believe PGP and GnuPG support that sort of behavior.


        --Phil (Far too much of a crypto geek)
        • A better solution would still be to encrypt the message with a particular public key for which the private key was widely available. Encrypting the message with Bruce Schneier's private key makes sense cryptographically

          So, you're saying Bruce Schneier's private key is widely available? ;-)

      • If I remember correctly, PGP encrypts the entire message with 'normal' (not public-key) encryption, then encrypts the key with public-key encryption. So, you could send the message to 1000 people, and not have the message included 1000 times. You would however have a 1000 copies of the key (1024 bits?), all encrypted with a different private key.
    • then the spam filters wouldnt have anything to trigger the filters
      Really? A lot of HTML spam used to encrypt itself and then have a little piece of javascript that decrypted it embeded in the email. This was quite easy to block, since all a spam-blocker had to do was spot emails not containing any words of your favourite language. I'm not sure if SA does this, but I wouldn't be surprised if it blocks all encrypted messages.
  • by telstar ( 236404 ) on Sunday February 16, 2003 @12:52AM (#5312569)
    So he sends out the Crypto-Gram newsletter, then he sends out a note about the Crypto-Gram newsletter. 2 emails to cover what should've been sent as 1. Seems like the spam filter is doing just fine ...
  • White List (Score:5, Insightful)

    by SealBeater ( 143912 ) on Sunday February 16, 2003 @12:54AM (#5312574) Homepage
    That's easy to fix, add the crytogram address to a whitelist. Every spam
    filtering software I've ever run, including spamassasin (which I like a great
    deal) has a whitelist option. If you're running some kind of filtering
    software, it behooves you to keep an eye on what it's blocking, hence, I am
    sure that people are aware of it and have adjusted their software accordingly.

    SealBeater
    • As a lot of people will probably whitelist cryptogram, if one wishes to spam technical people, he just needs to set From to Bruce.
    • If you're running some kind of filtering software, it behooves you to keep an eye on what it's blocking...
      I agree; it is disturbing to get hit by a false positive, never know about it, and then later find out that you missed an email from someone that you would rather have read. So you'd like to review what gets rejected. Unfortunately, at some point that puts you right back to reading spam again!
  • Whitelist (Score:5, Interesting)

    by sean23007 ( 143364 ) on Sunday February 16, 2003 @12:55AM (#5312578) Homepage Journal
    That's why most good spam blockers (especially OS X's Mail.app) use their filters but compare the senders to a whitelist so that your friends can send you whatever they want to. If you've been receiving CRYPTO-GRAM for a while, it should be on your whitelist, and the blocker should just let it by.

    But you don't always want to get everything people send you (everybody has those people who send you things they think are funny but you just can't stand). So there should be levels of "friendship" in the whitelist, so that some senders can be considered dubious (their mail shouldn't be deleted like spam, but perhaps placed in a different "Uninteresting" folder).
    • Re:Whitelist (Score:3, Interesting)

      So there should be levels of "friendship" in the whitelist, so that some senders can be considered dubious (their mail shouldn't be deleted like spam, but perhaps placed in a different "Uninteresting" folder).

      I, for one, would love to see a feature like this in a mail program!
      Actually, I'd like to participate in the development of an existing open source email app if someone could recommend one. Java based would be nice.
      • So there should be levels of "friendship" in the whitelist, so that some senders can be considered dubious (their mail shouldn't be deleted like spam, but perhaps placed in a different "Uninteresting" folder).

        I, for one, would love to see a feature like this in a mail program! Actually, I'd like to participate in the development of an existing open source email app if someone could recommend one. Java based would be nice.

        SpamAssassin already does something like this. First, it comes with a set of whitelisted addresses, like ebay.com, etc. It's quite possible that Cryptogram will be included in that list next time around.

        But better than that, SA has something called autowhitelisting that keeps track of the average spam score for people who sucessfully get mail delivered to you (through the filter). This means that a good friend, who's mails are normally fine, can send you a spam-ish mail that gets through, or if your friends are borderline, like above, they may only get a few points for being a friend and a spam-ish mail will trigger the filter.

    • Do you remember where that quote is from?
      It reminds me of another good one:

      Arrogance is compensation for a lack of intelligence.

      that I think was the same person, but I can't seem
      to find either of those quotes.
      • Actually I invented my sig 3 years ago in my freshman English class. I was trying to comprehend the idiocy of my classmates, and the phrase just wrote itself down on paper.

        I do not know who invented the quote you mentioned (but I'm pretty sure it wasn't the same person... ie "not me" ;) ), but I would certainly subscribe to it.

        And by the way: if anyone can find a classical source that actually invented my sig, I would be interested in knowing it. As far as I know, I invented it, but if someone else came up with it first, I plagiarised it completely unknowingly. If I didn't really come up with it, I would like to give credit where credit is due.
    • Re:Whitelist (Score:3, Informative)

      by SimplyCosmic ( 15296 )

      Well, in terms of Spamassassin, you could create rules which subtracts a particular number of points from the spam score of any particular message, rather than letting it through automatically, which gives it a better chance to go through if it's a pretty un-spam-like content.
  • by Anonymous Coward on Sunday February 16, 2003 @12:55AM (#5312582)
    SpamAssassinAssassin could look at the folder where you put your filtered mail and learn what to pull back out, and flush the rest to /dev/null.

    I'm sure Paul Graham will be glad to write it in lisp.

    Or, of course, we could just do what the obvious solution is: get in a P.O. Box, send out spam for herbal viagra and penis enlargement, and when you get the checks in the mail HUNT THE CUSTOMERS DOWN AND KILL THEM.

    It's simple, really.
  • by MrByte420 ( 554317 ) on Sunday February 16, 2003 @12:57AM (#5312589) Journal
    False-Positives should be a non-issue. Either you choose to run a spam filtering software and live with thoose limitations or don't run a spam filtering program and deal with the extra emails about enlarging various organs that you will receieve every day.
    I do tech support for a webhosting company and people call us every day complaining about their spam but as soon as we offer blocking software based on lists, etc all we get is complaints that some more-valuable-than-gold email is going to get lost and ruin their entire business.

    This is a simple choice and people have to learn they can't have their cake and eat it too.
    • by Elwood P Dowd ( 16933 ) <judgmentalist@gmail.com> on Sunday February 16, 2003 @01:25AM (#5312680) Journal
      Thank you. Also, if all the bayesian filtering advocates are right, then the users should be able to mark the Cryptogram as non-spam, and the filter should adapt. More to your point, though, is that lack of spam-filtering software can cause false-positives in your own personal, analog, spam filtering algorithm. Many of my users have deleted important, non-spam, automated emails manually because they thought it was spam. Sometimes, the machine might have less false positives than they would.

      Huh. It occurs to me that it seems like some spam filters might pass a turing test if the only output is their spam judgment. Wow. The future is now, dude.
    • by 1u3hr ( 530656 ) on Sunday February 16, 2003 @01:33AM (#5312713)
      Either you choose to run a spam filtering software and live with thoose limitations or don't ...

      Except if it's done upstream from you, perhaps even without your knowledge (eg a few months ago it was found that Mac.com was aggressively filtering, with a lot of false positives).

  • by markfletcher ( 612245 ) on Sunday February 16, 2003 @12:59AM (#5312595) Homepage
    This illustrates one of the big problems with filters. They will never be perfect, spammers are always adjusting to them (even the Bayesian ones), and the way many are implemented, they make email unreliable (by deleting suspected spam messages and not bouncing them). Blocking untrusted servers by IP address avoids these issues.

    obPlug: This is why I created Trustic [trustic.com].

    • So blocking untrusted servers doesn't make email unreliable? I find that very hard to believe. Considering that most of the time it is Net blocks that are blocked, not just individual IP addresses.

      blocking IP addresses is also open to abuse... If I had a grudge against an ISP, I could fake some SPAM headers and send it to any of the IP blockers. Maybe send several copies from different accounts. Getting an IP listed is usually easier than getting it removed, so in the mean time many legitimate emails are being blocked...

      I believe you have to attack the root of the problem, and that is stopping the SPAM at the origin. This is probably the more difficult approach, but it is the only one that will avoid dropping legitimate mail.

    • This is exactly why content-based filters will never work: the professional spammer will take the time and run his e-mail through filters until he gets a good result (a negative answer). The non-spammer will not take the time to test his e-mail with all the spam-filters. Therefore, it is very likely that legitimate content will be filtered and professionally composed spam e-mails will not. So IMHO, Spam-Assassin and all the other content-based spam-filters are completely useless.
      • Well guess I only get spam from non-professional spammers then. I run spamassassin on my server and almost never get any spam into my Inbox. I get maybe 5-10 spams a day and they all get tagged by spamassassin and procmail filtered into a folder where I check them for false positives before deleting. The only false positives I get is a news letter from the airline KLM, for which I am too lazy to set up a procmail filter since I never read it anyway.

        I have filters for all my mailing lists and so forth in my .procmailrc and then the spamassassin filter at the end. Works like a charm for me.
  • by Leeji ( 521631 ) <slashdot.leeholmes@com> on Sunday February 16, 2003 @01:03AM (#5312605) Homepage

    This is exactly the problem with most content filtering approaches.

    It is very hard to discern the difference between talk about sex, spam, viruses, etc and talk from sex, spam, viruses, etc. Newsletter authors go as far as writing "v*rus" and "sl*mmer" so that pitiful content filtering blocks don't trash them.

    It gets even worse for email lists that use inline text ads. The ads alone would constitute spam, but they're nestled within several paragraphs of high-quality discussion.

    The problem is that content filtering approaches usually only analyze the "spamminess" of a piece. They usually don't analyze the "goodness" of a piece. So if I put "hot teens go crazy for debt-free viagra while earning $$$ from home" in the middle of some fine Shakespeare, that will get flagged as spam.

    The new "bayesian" approaches are finally dealing with this problem -- something can look an awful lot like spam, but it will be saved if it looks even more like legitimate email.

    In this case, spam doesn't generally run for 21 pages with words like "cryptography," and "full disclosure."

    • The problem is that content filtering approaches usually only analyze the "spamminess" of a piece. They usually don't analyze the "goodness" of a piece. So if I put "hot teens go crazy for debt-free viagra while earning $$$ from home" in the middle of some fine Shakespeare, that will get flagged as spam.

      Nor would you be wrong to insert that, since that's roughly the Cliff's Notes reduction of several Shakespeare plays.

    • by Tricot ( 12160 ) on Sunday February 16, 2003 @01:27AM (#5312689)
      ...if I put "hot teens go crazy for debt-free viagra while earning $$$ from home" in the middle of some fine Shakespeare, that will get flagged as spam.

      eMerchant of Venice. Act I Scene IV, right?

    • by 1u3hr ( 530656 ) on Sunday February 16, 2003 @01:38AM (#5312728)
      In this case, spam doesn't generally run for 21 pages with words like "cryptography," and "full disclosure."

      The problem with that is that if you score mail by the percentage of spam, rather than the absolute amount, the obvious response by spammers is to ADD 21 pages cribbed from a crypto newsletter to the end of their penis-enlarging spam. Maybe even fake the headers to make it look like it came from a respected source.

      • Spam tends to be short. The shorter the spam, the more messages they can put through. So spammers would be loathe to add 21 pages of text to their spam.

        I have
        Const maxspamsize = 42695
        in my spam filter - I've only receive one piece of spam larger than than in the last 12 months (a giant promotion for a Korean trade show). It speeds up my spam filter processing and lets large newsletters (with false triggers like this) through without a problem.

        • It speeds up my spam filter processing and lets large newsletters (with false triggers like this) through without a problem.

          Yes, it works now. But if your criterion were widely used, spammers would just bulk up their spam. (Now they often add some gibberish to the end, or even within HTML tags, so that it's not normally visible, and breaks up trigger words.)

          • My point remains valid. Because there is a direct cost to the spammer to adapt.

            If they bulk up their spam that's going to slow them down, increase their costs (even if bandwidth costs aren't going to be passed back to them now, the more they use, the more visible they become). They become more visible.

            Or they continue on their way. The reality is that they concentrate on the easy targets - you and I will never purchase their services so people taking this approach aren't really in their target audience anyway. I know this is (surprisingly) less true than one might think. Spammers do work to overcome basic obstacles, but that adds more costs and time - they don't work hard to avoid tar pits, because there are so few of them.

            So I still see it as a win...large emails are very unlikely to be spam. If that changes, well so be it, but that will hurt the spammers. In the meantime I reap the benefit of fewer false positives and faster spam filtering.

            Final comment - over the last six months I've seen spam get slightly larger (from about 32k peak size to about 45k peak size). But I haven't been analysing for any trends - just the outliers.

      • Spammers won't do this. Why? The number of people using something like Spamassasin are so small, it's not worth their time. Besides, those customers aren't going to buy, anyway.
        • The number of people using something like SpamAssassin are so small, it's not worth their time.


          Not for long. Filtering software such as SpamAssassin is now being used at the server level to recognize junk email for thousands of clients.

          For example, the University of Colorado at Boulder [colorado.edu] now uses SpamAssassin to scan all incoming student email. This means SpamAssassin handles the spam filtering needs of a student population of 30,000. There is no doubt that as the spam problem increases, filtering solutions will begin to appear at the ISP level.

      • Which is why most bayesian-type filters react to a subset of the keywords. By estimating based on the 10 or so best indicators the dilution is less effective...
    • The new "bayesian" approaches are finally dealing with this problem -- something can look an awful lot like spam, but it will be saved if it looks even more like legitimate email.

      In this case, spam doesn't generally run for 21 pages with words like "cryptography," and "full disclosure."


      Well, as a matter of fact, my bayesian filter marked the message spam, when I test-sent the html-file as an attachment to myself.
      • when I test-sent the html-file as an attachment to myself

        That should explain it, although I could be wrong. If your filter doesn't look inside of attachments (which I think is the norm,) it could very well look like spam. If it does look inside of attachments, I think it's time to review the mail you trained your "spam" on. Many others, even those using SpamAssassin with its default threshold, have mentioned that the CryptoGram gets through.

        • Nope, it looked through the attachment. It was attached as quoted-printable text/html, and the discriminating words were from the attachment. The only other word in the body of the mail was "testi."

          The three spammiest words were "million" "trust" and "reports."
  • SPEWS (Score:3, Insightful)

    by some1somewhere ( 642060 ) on Sunday February 16, 2003 @01:16AM (#5312647)
    At least he is only on Spamassassin which tends to be run on the client-side, so statistically less people would not see the newsletter. If he were on the SPEWS's blocklist, he'd never get out!

    http://www.antispews.org/ the SPEWS fansite (not!)

    Personally I see less problem with client-side blocking, as there is less chance that any 2 people would use exactly the same combination of blocklisting/priorities/etc. Plus, programs like Spamassassin use quite a lot of processing power, so large mail servers (eg. for an ISP) would need significant additional resources to handle this. Thus it is best to move such individualized and resource-intensive applications to the client-side anyway.

    YMMV.
    • If he were on the SPEWS's blocklist, he'd never get out!

      Unless he sends actual spam, or is on an ISP that supports spamming, he wouldn't end up on the SPEWS list in the first place.

    • Re:SPEWS (Score:4, Insightful)

      by Skapare ( 16644 ) on Sunday February 16, 2003 @02:54AM (#5312948) Homepage
      If he were on the SPEWS's blocklist, he'd never get out!

      And this is why the SPEWS blocklist is so effective and so good. If he were on it, then that would mean that he and/or his network fell into one of the following categories:

      • Is a spammer
      • Is an ISP harboring a spammer (or an upstream ISP thereof)
      • Is a customer of an ISP harboring a spammer

      Because spam causes abuse to email servers, even when the mail is refused either for reasons of an IP based blocklist, or for content filtering ... abuse in the form of higher costs for the server operators and recipients ... the proper goal is to get the spammer not just blocked from being able to get mail into your mailbox, but fully disconnected from the internet to prevent these kinds of costly abuses in the future. And since only the ISP hosting them can actually disconnect them, it will be the job of that ISP to do so. Most ISPs will when they realize the situation. A few ISPs refuse to, and that's when it comes time to put pressure on the ISP by expanding the blocking of the ISP's network, forcing them to consider that their legitimate customers will be leaving if they do not disconnect the spammer. SPEWS gradually expands listings so that the point where the ISP finally understands this can be reached with the minimum of so called collateral damage (which is not really, because these are customers who are paying money to an ISP which harbors spammers, so they share in the guilt).

      Bruce Schneier's mail server happens to not be listed by SPEWS. So it can be said that he is not a spammer, is not running an ISP that harbors spammers, and is not using an ISP that harbors spammers. That is a good thing and shows that SPEWS not only works, but works better than content based filtering.

      Content based filtering also is a direct violation of the principles of the US First Amendment right to free speech (although the actual amendment only applies to restrictions imposed by the government and does not apply to private businesses in most cases, if not all). Infringement of free speech happens when the decision is based on what the content is. When restrictions are not affected by the content, then such restrictions are considered fair since any content can be passed when the behaviour that evoked the restrictions is not done. And the whole spam issue is about behaviour, not content. The bad behaviour is the act of inappropriately choosing multiple recipients for sending the message ... e.g. unsolicited bulk email (UBE).

      Of course on your own mail server you have a right to use whatever methods you deem appropriate based on how you want to balance your costs, the quality of your service to your customers, and how much cost you want to pass on to your customers. Obviously you have to be in contractual agreement (possibly implied) with your customers about what methods are chosen. If you only offer one kind of service and your customer does not want that kind, by being properly aware of what you do offer, they can go elsewhere. Or you can offer a diversity of services the customer can choose from (e.g. a customer control panel to control the methods of spam filtering for their email accounts). So the choice of what method to use to block spam is strictly a relationship between a provider and its own customer.

      In the case of a network owned by a business only to serve that business function, then it's simply the commercial version of "my server, my rules".

      • And this is why the SPEWS blocklist is so effective and so good. If he were on it, then that would mean that he and/or his network fell into one of the following categories:

        Is a spammer

        Is an ISP harboring a spammer (or an upstream ISP thereof)

        Is a customer of an ISP harboring a spammer


        uh, this is exactly why things like blacklists *are* broken. There are plenty of spammers not on any blacklist, so don't think of (!blacklisted) as equal to (whitelisted). Also, (blacklisted) != (spammer) as well, since alot of these list ops don't care about false positives or collateral damage.

        Secondly, consider your "is a customer of an isp harboring a spammer" rule. The point of antispam efforts is not to block out all spam. (redirect all email to /dev/null would accomplish THAT goal). The point is to allow genuine communication. That means a perfect antispam would allow 100% of "useful" communication (whatever you define "useful" to be) and deny 100% of everything else. Blocking "customers of ISPs" goes directly against that: purposefully denying non-spam traffic is a broken concept. Blacklisters tend to justify such behavior as "zero tolerance," and "putting pressure on ISPs," but I think attacking innocent bystanders is extremely offensive, ineffective and just plain wrong.

        So what if your favorite blacklist decides to stuff the entire 64.*.*.* IP address range? you will cut a lot of spam but suffer enormous collateral damage. Find a spammer, block the spammer. but don't bomb his whole neighborhood "to prove a point."

        • uh, this is exactly why things like blacklists *are* broken. There are plenty of spammers not on any blacklist, so don't think of (!blacklisted) as equal to (whitelisted).

          No anti-spam method is perfect. It is unlikely any will ever be. Don't expect some clever new spam to be blocked until the blockers get more clever. It's a game of one-upsmanship.

          Also, (blacklisted) != (spammer) as well, since alot of these list ops don't care about false positives or collateral damage.

          Go back and read my original post. These are not false positives or collateral damage. They are intended. When the customers of an ISP are listed and blocked in order to pressure the ISP to stop its support of the abuses by spammers, that is not an error, not a mistake, not a false positive, or collateral damage. It is in fact intended and for the described purpose.

          In war, we speak of collateral damage as the UNintended targets of things such as bombs. Blocking customers of ISPs is not that. It is more like trade sanctions. The trade sanctions don't work in Iraq because most of the people cannot switch to living in a different country. But most customers of an ISP that doesn't get the clue, can switch to another ISP. And it has accomplished the intent in many cases.

          Secondly, consider your "is a customer of an isp harboring a spammer" rule. The point of antispam efforts is not to block out all spam. (redirect all email to /dev/null would accomplish THAT goal). The point is to allow genuine communication. That means a perfect antispam would allow 100% of "useful" communication (whatever you define "useful" to be) and deny 100% of everything else. Blocking "customers of ISPs" goes directly against that: purposefully denying non-spam traffic is a broken concept. Blacklisters tend to justify such behavior as "zero tolerance," and "putting pressure on ISPs," but I think attacking innocent bystanders is extremely offensive, ineffective and just plain wrong.

          You're missing a goal. The other goal is to keep the communications cost effective. Consider that an onslaught of spam, even though it is not going to be delivered for whatever reason, can overload a mail server, possibly even crashing it, and deny other communications. Spam attacks can deny the timeliness of communications. There won't be any form of 100% perfect useful communications until every spammer is gone. That goal cannot ever be realized given human nature, but we can get very close by making sure that ISPs deal with the issues of spam that they should be doing. Once they are doing that, then we'll at least have 99.9999% usefulness.

          We obviously disagree. In my opinion, what you call attack is nothing more than a boycott. And remember that it is the recipient mail system operator making that decision to use SPEWS or some other blocklist. If they believed as you do, they would not use it (I presume you do not).

          So what if your favorite blacklist decides to stuff the entire 64.*.*.* IP address range? you will cut a lot of spam but suffer enormous collateral damage. Find a spammer, block the spammer. but don't bomb his whole neighborhood "to prove a point."

          First of all, picking that specific address range is stupid. SPEWS will not expand a listing to an unrelated ISP. The 64.0.0.0/8 block is broken up into many allocations by ARIN. But maybe you can use the 12.0.0.0/8 network instead, since it is allocated entirely to one ISP.

          It's not bombing a neighborhood. If enough people were to use SPEWS, then the ISP would eventually realize that they will lose more money by legitimate businesses leaving than they get from spammers. Bombing is lasting damage that has to be rebuilt over. Blocking an ISP is fixed by a very simple action of disconnecting the offending spammers.

          I'm sure you would be quite pissed off if your mail bounced because your ISP was listed in SPEWS. But consider that the operator of the mail server used by the party you tried to send the mail to is equally pissed off at your ISP for letting one of its customers continue to attack his server. Actually, it is more likely he will be even more pissed off, because the costs in terms of resources consumed and wasted at the recipient server exceeds the money the ISP makes from the spammers, the money the spammers make for themselves, and the cost to the customers to switch ISP, combined.

      • Re:SPEWS (Score:3, Insightful)

        by Zeinfeld ( 263942 )
        And this is why the SPEWS blocklist is so effective and so good. If he were on it, then that would mean that he and/or his network fell into one of the following categories:

        Or he might be

        A customer of UUNet which spews has listed because it disagrees with some of the content they host

        NOBODY with a brain is using SPEWS anymore. Listing the largest commercial internet supplier in the US was simply idiotic. And it was done for completely illegitimate reasons.

        The whole blacklist concept boils down to vigilante tactics, use threats to keep people in line. The problem being that the people who run the lists tend to turn into self-important little tinpot dictators after a short time.

        Content based filtering also is a direct violation of the principles of the US First Amendment right to free speech

        Unture, with the exception of Limabaugh whose judgment in Nixon is opinionated nonsense the Federal courts have all rulled that the junk fax laws are constitutional.

        • Re:SPEWS (Score:2, Interesting)

          by Skapare ( 16644 )
          Or he might be
          • A customer of UUNet which spews has listed because it disagrees with some of the content they host

          UUNet has become one of the worst ISPs around due to their harboring of large numbers of spammers. And they do absolutely nothing to respond to complaints reported to them. They just let the spammers keep spamming.

          NOBODY with a brain is using SPEWS anymore. Listing the largest commercial internet supplier in the US was simply idiotic. And it was done for completely illegitimate reasons.

          There are completely legitimate reasons for blocking UUNet. It's the spam. You may be confusing SPEWS with some small-time renegade blocklist.

          The whole blacklist concept boils down to vigilante tactics, use threats to keep people in line. The problem being that the people who run the lists tend to turn into self-important little tinpot dictators after a short time.

          As soon as I see SPEWS operators "turn into self-important little tinpot dictators" I'll certainly stop using it. But I have not seen it happen. Feel free to point out any specifics if you are aware of them.

          If anything, it is the very act of harboring spammers that is a vigilante tactic. Given that the costs of transmitting email are heavily slanted to the recipient end when spam is involved (because the spammers use special software to send email that scale up more effectively than ordinary MTA software), such a tactic could be in active use by some ISPs to drive up the costs for others (their competition).

          Content based filtering also is a direct violation of the principles of the US First Amendment right to free speech
          Unture, with the exception of Limabaugh whose judgment in Nixon is opinionated nonsense the Federal courts have all rulled that the junk fax laws are constitutional.

          Read my statement again, this time carefully. I said it is a violation of the principles. I did not say it is a violation of the Constitution and/or First Amendment itself (see the way the clause is written). Since the Constitution places restrictions on the government, it is the government that is the one that has to be sure not to restrict speech based on its content. You and I are free to do so within the context of our property rights and those of others. While it would be wrong for me to go delete your messages (that would be violating your property rights), you could certainly delete them yourself if you choose to. But I do fully believe in the principles the US Constitution was based on, and I practice my life that way. Thus, I do not use content based filtering. That's my choice.

          • There are completely legitimate reasons for blocking UUNet. It's the spam. You may be confusing SPEWS with some small-time renegade blocklist.

            Since the SPEWS maintainers refuse to answer any correspondence whatsoever there is no way you can possibly know what criteria they are applying. They state that their criteria for listing UUNET is content hosted by a UUNET customer. Of course SPEWS could be lying.

            The realtime blacklists are simply not transparent.

            Comparing UUNET to vigilantes is simple sophistry.

    • Re:SPEWS (Score:2, Informative)

      by GammaTau ( 636807 )

      http://www.antispews.org/ the SPEWS fansite (not!)

      Heh, this antispews.org money-making scam [google.com] is a rather funny one. Strangely enough the Hostway Corporation started hosting the site three days after t3marketing lost [ilaw.com.au] their lawsuit against Joe McNicol [ilaw.com.au]. The Hostway Corporation is behind the t3marketing and many other "direct marketing" buggers. So it's no wonder that they are listed in SPEWS and using every possible way - sue spamfighters, spread FUD, etc. - to help them to continue poison our mailboxes.

      That being said, I'm not sure if the SPEWS way of doing things is such a good idea but the antispews.org site is still run by spammers and should be treated as such.

    • Thus it is best to move such individualized and resource-intensive applications to the client-side anyway.

      Clearly you're not on dial-up. By the time I've downloaded 100 spams, half the annoyance is over.
  • I don't intend to alter my content to accommodate spam filters.

    Some of us aren't so lucky. The rest of us actually need eyeballs on our newsletters [borisfx.com] and try to test our content through filters before sending it out. I am consistantly amazed at the little things that flag my newsletter as spam.

  • When you run SpamAssassin in test mode, it tells you what rules got hit. You can also look at the headers in "Spam-Tagged" email to see what rules got hit. I looked for "Spam Testing" pages on the 'net, but had no luck.

    Could someone run the Crypto newsletter through SA to find out what cased its evaluation?

    As an aside, Counterpane could have done this to find out what the problem was, too. Not that they should have to, but they could have.

    • i ran the text of the newsletter through spamassassin, but not the actual email newsletter itself (i'm not subscribed).

      as a result, it'll look different than someone subscribed to the list, since spamassassin does rely a bit on the headers, not just the text:

      Oh, and as a side note, when i tried to paste this, unedited, slashdot spat the following at me:

      Lameness filter encountered. Post aborted!
      Reason: Please use fewer 'junk' characters.

      the irony is thick. as is, of course, the irony that i could completely bypass it by formatting my message as "code". Now, back to the show:

      X-Spam-Status: Yes, hits=5.1 required=5.0
      tests=BALANCE_FOR_LONG_20K,BALANCE_FOR_LONG_40K,DA TE_MISSING,
      FROM_MISSING,MISSING_HEADERS,NORMAL_HTTP_TO_IP,OPT _IN,
      SPAM_PHRASE_01_02,SUBJ_MISSING,SUPERLONG_LINE,US_D OLLARS_2,
      US_DOLLARS_4
      version=2.44
      X-Spam-Flag: YES
      X-Spam-Level: *****
      X-Spam-Checker-Version: SpamAssassin 2.44 (1.115.2.24-2003-01-30-exp)

      SPAM: This mail is probably spam. The original message has been altered
      SPAM: so you can recognise or block similar unwanted mail in future.
      SPAM: See http://spamassassin.org/tag/ for more details.
      SPAM:
      SPAM: Content analysis details: (5.10 hits, 5 required)
      SPAM: FROM_MISSING (-0.0 points) Missing From: header
      SPAM: DATE_MISSING (0.8 points) Missing Date: header
      SPAM: SUBJ_MISSING (0.3 points) Subject: is empty or missing
      SPAM: OPT_IN (1.5 points) BODY: Talks about opting in
      SPAM: US_DOLLARS_4 (0.4 points) BODY: Nigerian scam key phrase ($NNN.N m/USDNNN.N m/US$NN.N m)
      SPAM: US_DOLLARS_2 (0.1 points) BODY: Nigerian scam key phrase ($NNN.N m/USDNNN.N m/US$NN.N m)
      SPAM: BALANCE_FOR_LONG_20K (-0.7 points) BODY: Message text is over 20K in size
      SPAM: BALANCE_FOR_LONG_40K (-0.1 points) BODY: Message text is over 40K in size
      SPAM: SPAM_PHRASE_01_02 (0.5 points) BODY: Spam phrases score is 01 to 02 (low)
      SPAM: [score: 1]
      SPAM: SUPERLONG_LINE (0.0 points) BODY: Contains a line >=199 characters long
      SPAM: NORMAL_HTTP_TO_IP (1.3 points) URI: Uses a dotted-decimal IP address in URL
      SPAM: MISSING_HEADERS (1.0 points) Missing To: header

      hope this helps,
      gleam

      • SPAM: FROM_MISSING (-0.0 points) Missing From: header
        SPAM: DATE_MISSING (0.8 points) Missing Date: header
        SPAM: SUBJ_MISSING (0.3 points) Subject: is empty or missing
        SPAM: MISSING_HEADERS (1.0 points) Missing To: header


        See this posting [slashdot.org] for one with the headers, which shows that SpamAssassin doesn't tag it as spam anyway.
        • yeah, which is pretty much what I noticed too.. of course, spamassassin has a configurable threshold, and configurable weights, so maybe one particular configuration of spamassassin will mark it as junk..

          but it looked like it would have made it to my inbox with no problems.

          -gleam
      • SPAM: OPT_IN (1.5 points) BODY: Talks about opting in

        Go read the DNSSEC mailing list, there has been a considerable amount of discussion about OPTIN.

        Or read any of the privacy mailing lists where the term opt in is used in the exact same context

        The big problem with developing a SPAM solution is that nobody wants to hear any solutions, start describing something and they will interrupt your first sentence to tell you their idea. Then when you explain that the idea is not new and has severe drawbacks they assert that it works for them so it should be good enough for anyone.

  • The Risks digest reported in 1991 that the email newsletter from the International Association for Cryptographic Research was being blocked by spam filters. One of the IACR board members was a crypto expert with the unfortunate name of Don Beaver. And there were some references to "hardcore bits" and LaTex. It was all too much for the filters.
    • The Risks digest reported in 1991 that the email newsletter from the International Association for Cryptographic Research was being blocked by spam filters.

      I somehow doubt it, Canter and Segal didn't send out their mass mailling till 1993.

      One of the IACR board members was a crypto expert with the unfortunate name of Don Beaver. And there were some references to "hardcore bits" and LaTex. It was all too much for the filters.

      I think you are describing a censorship filter rather than a spam filter there.

  • by kcbrown ( 7426 ) <slashdot@sysexperts.com> on Sunday February 16, 2003 @02:54AM (#5312946)
    Right now everyone is forced to accept email connections from anyone who sends email because it's not possible to tell ahead of time whether or not the connection is coming from someone who is reliable, right? And spammers take advantage of this by sending millions of messages from open relays. Blocking that is a virtual impossibility because which relays are open changes over time.

    The first inclination one has would be to suggest that everyone close their open relays. But this depends on people doing the right thing all the time, and has proven ineffective.

    Fortunately, there's another way.

    Right now, everyone who receives mail has to listen to everyone who tries to connect. The problem is how do you separate the wheat from the chaff?

    The solution is to take advantage of the information SMTP and TCP/IP give you when a connection is established. The fact that you're receiving a connection gives you the address of the sender. And during an SMTP transaction, one of the SMTP commands (the MAIL FROM command) gives you the domain of the email's sender, e.g. "MAIL FROM slashdot@sysexperts.com".

    When you're sending email to someone else, you do so by looking up the MX records for their domain, which tells you which systems are responsible for receiving email for that domain. This gives us a possible answer to the spam problem.

    Suppose instead of blindly accepting email from everyone, you were to take the domain given to you by the MAIL FROM command, look up the MXes for that domain, and reject the email connection if the IP address of the sender doesn't match one of the domain's MXes?

    Now, suddenly, you would end up rejecting email sent from every unauthorized relay, because the owner of the domain can make any system that is allowed to send email on behalf of his domain into an MX (and, if he doesn't want that system to be used for delivering email, then he simply makes such systems the lowest priority MXes in the list and blocks outside port 25 connections to them ... something he's probably doing anyway).

    Suddenly, the only systems that spammers can send email from are systems that they legitimately control and that are defined as MXes for a domain they control. Suddenly, spammers have to set up and maintain their own domains and their own boxes. The costs have just become a lot higher, which will get rid of most of the spammers.

    And suddenly, blocking spam becomes orders of magnitude easier -- you only have to deal with spammers who have decided to pay the (now much higher) price for sending spam and who cannot use someone else's system to do their dirty work without permission.

    • Re: (Score:2, Interesting)

      Comment removed based on user account deletion
      • This will work for most senders, but it is entirely possible that the addresses sending mail are different to those which can receive mail.

        Correct. We are one of those. We have our own mail server (rented rack in Dallas) but use Speakeasy SMTP servers (Our SDSL provider located in NY) for outgoing opt-in newsletters. We don't HAVE to do it this way, but for technical reasons, its faster and easier for us. And it doesn't count toward our bandwidth on the rack.

        Another server we have, on another SDSL line was blacklisted because it was SDSL, effectively shuting down all mail services. The server has been up on that IP for years, and averaged 10 to 50 emails per day, so we surely were not spammers. Our SMTP server are not open relays. It was blacklisted purely because it was on SDSL ip ranges.
    • please no (Score:5, Informative)

      by upper ( 373 ) on Sunday February 16, 2003 @07:22AM (#5313387)
      A "solution" like that would trash my outbound mail. I forge my From: addresses routinely.

      My primary mailbox is with a small, local ISP. I can't buy broadband from them, so I get my connectivity via cablemodem. I do have a mailbox in the cablemodem company domain -- that's the one I give out when I expect abuse. (I do it this way because I expect to be dealing with that ISP long after the cable vendor has either ceased to exist or has treated me badly enough that I left.)

      So I want my outbound mail to appear to have come from the ISP. Setting Reply-To is usually adequate, but not always -- when a human is looking for the address, they could easily grab the wrong one. And it creates potential confusion I don't want to create. So I set my from address to name@isp.com.

      I can't relay through the ISP's relays, because I'm outside of their IP range. (If they did some form of authenticated SMTP, such as SMTP-after-POP, they could let me.) And the cable vendor's mail relays won't send mail out with some other domain name on it. So I send everything out directly, no relays.

      If you look at many headers, I suspect you'll find that I'm not the only one forging my From: address for legit reasons. The presence of the X-Authentication-Warning header some MTAs add correlates fairly weakly with spam. (Some details of it -- e.g. no valid reverse DNS for the sending machine's IP -- could be useful indicators.)

      • I have a domain at a dedicated hosting company (i.e. not an ISP), which I want to use as my primary address. At the moment the host has a mail relay (using POP-before-SMTP to prevent abuse), so while at home, I ignore my ISP's mail services completely and use my web host's POP3 and relaying; when my domain was with a different host a while ago, I couldn't even do that, since they provided POP but not SMTP, so I had to use a "forged" header as you describe.

        At university this is even more necessary, since my university blocks port 25 at most of their routers - the only exception is that anyone in the university can connect to a "server" (actually a load-balancing cluster) which acts as a central relay. This means it's impossible to send mail unless it's either tunnelled in some way (not an option for me, my web host charges extra for ssh), or through this relay server. The relay accepts mail with any faked From address, on the basis that some people (including some departments) need this functionality, and if someone spams through it, they have it logged and know who to blame.

        (Before you ask whether my uni gives me an e-mail address: yes it does, but I do game modifications, and I don't want to use my uni address for that. Also, my domain is more permanent than an address that disappears when I graduate)
      • I forge my From: addresses routinely. (...) If they did some form of authenticated SMTP, such as SMTP-after- POP, they could let me.

        In other words, you're sending a mail that appears to come from a ISP address, without ever being in contact with that ISP. Assuming there are rouge boxes out there, how could you possibly fix it without breaking your setup? I think the solution is fair - if you want to send with a @domain address, you must authenticate with the @domain servers somehow. If your ISP doesn't offer it now, I'm pretty sure they would if there was real demand for this feature. And if your tell your ISP that this will help reduce spam, they'll like it. They're not more fond of spam than you are (except those ISP profiting more from having spammers than getting spam, but they're few)

        Kjella
      • Absolutely. You're not the only one "forging" the From: address at all, since it's the default thing to do in a lot of Mail programs.

        Example: Mozilla Mail - I have three different IMAP servers that I talk to (Work, Personal, and my ISP's). When I reply to a mail from any of those, Mozilla correctly changes my "From:" field to the appropriate setting so the emails will come back to whichever account I was sending from.

        However, with Mozilla, you can only specify ONE outgoing SMTP server, which in my case is my local machine. This would mean almost all of outgoing emails would get rejected, as the reverse lookup of my Mail-From: header wouldn't match my local IP.

        Plus, it's not uncommon for large ISPs or organizations to have a different set (IP block) of outgoing SMTP vs. incoming SMTP, to distribute load.

    • Yes, this approach is well known about, and used by some people. It's also a pain in the ass for everyone else.
  • I'm not sure about products other than SpamAssassin (BTW, 2.50-CVS rocks (has nothing to do with the fact that my contributions are in it, heh)), but programs like SA don't automatically delete or hide tagged messages, they just provide the ability to do so via other means, like procmail.

    What I personally don't understand is why people would trust a program enough to trash a message just because the program itself thinks it was Spam. I get about 150 messages per day; maybe 80% of it is spam (7 years with the same email address will do that), but I use SA's default behavior, which is to rewrite the subject and provide a report. I see that familiar "****SPAM****", and by the time I expunge, I've casually scanned the subject lines of the tagged messages (false positives are extremely rare, but possible, as this article is a prime example of).
  • by MavEtJu ( 241979 ) <<gro.ujtevam> <ta> <todhsals>> on Sunday February 16, 2003 @02:59AM (#5312964) Homepage
    I discovered that SpamAssassin thinks that this issue is spam.

    X-Spam-Status: No, hits=2.3 required=5.0
    tests=BALANCE_FOR_LONG_20K,BALANCE_FOR_LONG_40K,
    MIME_LONG_LINE_QP,NORMAL_HTTP_TO_IP,OPT_IN,
    PAM_PHRASE_01_02,SUBJECT_MONTH,SUBJECT_MONTH_2,
    US_DOLLARS_2,US_DOLLARS_4
    version=2.43
    X-Spam-Level: **

    Now that's not really tagged as spam...
  • meganet (Score:5, Interesting)

    by autopr0n ( 534291 ) on Sunday February 16, 2003 @03:02AM (#5312972) Homepage Journal
    Interesting he goes into meganet, witch was rather unbelievably featured on slashdot a couple days or so ago. He says it's pure crap. I said [slashdot.org] the same thing in the article and people actually replied defending it.
  • SpamAssassin works the way you tell it to work. If you feed it all your mail and don't bother to pre-filter or whitelist known good mail, it's your fault if SA flags things such as newsletters as SPAM.

    I use procmail with SpamAssassin in this manner:

    • add procmail filters to put messages from family members and close friends into my INBOX
    • add procmail filters to sort out messages from mail lists and newsletters
    • adjust individual scores for SpamAssassin rules if necessary (usually I adjust them so a matched rule's score is higher than the default score)
    • whitelist addresses from family members and close friends in SA's user preferences (a redundant mesaure just for the heck of it)
    • let any mail that isn't sorted by my procmail filters be checked by SpamAssin
      • messages flagged as spam by SA are put aside into a spam folder
      • messages not flagged as spam by SA make it to my INBOX

    It only takes a little bit of thought and minimal configuration to keep your mail from incorrectly being flagged as SPAM. For me, using this method has led to zero (0) false positives on messages from known sources, for two years. Every once in a while a SPAM message sneaks into my INBOX (a couple a year), but then I submit it to a SPAM database used in SA's checks (like Razor), or adjust any particularly annoying rules' scores, and it doesn't make a repeat appearance for me.

    If your find that any particular newsletter is being treated as SPAM by your mail filters, there's probably a very simple way for you to make sure it isn't filtered out. Use the tools you have wisely, and you won't be disappointed.

  • An employer of mine sent out a very important e-mail with "IMPORTANT - MUST READ" in the title, and guess how many people got it? All thanks to wonderful e-mail filters...
  • by Pathwalker ( 103 ) <hotgrits@yourpants.net> on Sunday February 16, 2003 @04:58AM (#5313180) Homepage Journal
    Am I the only one that has all of the mailing lists I subscribe to bypass SpamAssassin?

    For each mailing list I subscribe to, I use a special address suffix just for that list, that bypasses all of my spam checks (including SpamAssassin ), and just goes right into the mailbox that I use for that mailing list.

    No problems with false positives, and it saves me the overhead or running SpamAssassin on every incoming message from a busy list.

    it just seems like common sense, no one should have a problem with SpamAssassin misclassifying incoming newsletters if they just think about how they organize their email.
  • by Daniel Quinlan ( 153105 ) on Sunday February 16, 2003 @04:59AM (#5313183) Homepage
    I'm one of the SpamAssassin (SA) developers and I asked Bruce to send me a copy of the newsletter after hearing about his note of warning a few days ago.

    Aside from the spot-on comments that people have made regarding adding a whitelist entry Crypto-Gram (an obvious candidate for whitelisting if there ever was one, given that it frequently discusses spam, scams, and probably even includes text straight out of some spams), here is my initial analysis and response to him.

    Oh, first one other comment: SpamAssassin does not block content. SpamAssassin only flags probable spam. What the site or user does with that flag is their own business. Some mail administrators misuse SpamAssassin to block email, but we do not recommend blocking email. Really.

    ------

    [...] One false positive (or a related set of false positives) is not really a statistically useful sample size. To get to a high rate of filtering, most filters do have some false positives. You can get fewer false positives with customization of one form or another (personalized Bayes training, whitelists, rules, automatic learning algorithms). Our goal (everyone's goal, I think) is to get the best ratio of false positives to false negatives. It's a difficult balance sometimes and some legitimate content has a harder time.

    On to the data:

    I checked your newsletter with two versions of SpamAssassin: the current stable version (2.44) and the very-soon-to-be-released development version (2.50).

    A score of 5.0 is the default threshold to be flagged as spam.

    In SA 2.44, your mail receives a score of 3.20 (2.40 as I received it, but I believe the score would be about 3.20 for most people). That's on the high side, but has bit to go before being flagged as spam. The score is the same with network tests (DNS blacklist tests and Razor).

    In SA 2.50, your message would probably receive a score of 1.90 without network tests and 1.00 with network tests. Note that the test scores may change a bit before the final release of 2.50, but those are better scores, more what we like to see for non-spam content. They would be even lower when using Bayes (part of SA 2.50). Those lower scores are not unexpected because... well, 2.50 is better. :-)

    Based on these results, it's not clear to me why yesterday's newsletter was flagged as spam. Some possibilities:

    • your newsletter is routed through blacklisted hosts for some people
    • some people are using a old or misconfigured versions of SpamAssassin (extra rules, additional blacklists, many possibilities here)
    • the newsletter as received by some subscribers is substantially different than what you sent me
    • something else?

    Can you give me more information about the false positive that you experienced or was reported to you?

    Thanks.

    Dan

    ------

    If I find out more of interest before the thread is closed to comments, I'll try to post a follow-up to my post.

    • I'm running v2.44 and it passed the CryptoGram newsletter just fine. I'd bet that the report came from someone who has tweaked their SpamAssassin settings to be non-default (as mine are).

      Not a problem.

      bcl
    • (Note: AWL == AutoWhiteList)

      Headers added by spamassassin:

      X-Spam-Status: No, hits=-2.4 required=5.0
      tests=AWL,BALANCE_FOR_LONG_20K,BALANCE_FOR_LONG_40 K,
      MIME_LONG_LINE_QP,NORMAL_HTTP_TO_IP,OPT_IN,
      &nbsp ; SPAM_PHRASE_01_02,SUBJECT_MONTH,SUBJECT_MONTH_2,
      US_DOLLARS_2,US_DOLLARS_4
      version=2.40-cvs

      It still sounds like I should upgrade to 2.5 when it comes out, sounds like some very nice features. Keep up the good work.

    • by imroy ( 755 )

      I just got the email today and it failed. I'm running 2.44 from Debian and haven't yet looked at tweaking any of the rules.

      Here's the verbose banner that SA put on my copy:

      SPAM: Content analysis details: (5.90 hits, 5 required)
      SPAM: SUBJECT_MONTH_2 (-0.5 points) Subject contains a month name - probable newsletter (2)
      SPAM: SUBJECT_MONTH (-0.5 points) Subject contains a month name - probable newsletter
      SPAM: OPT_IN (1.5 points) BODY: Talks about opting in
      SPAM: US_DOLLARS_4 (0.4 points) BODY: Nigerian scam key phrase ($NNN.N m/USDNNN.N m/US$NN.N
      m)
      SPAM: US_DOLLARS_2 (0.1 points) BODY: Nigerian scam key phrase ($NNN.N m/USDNNN.N m/US$NN.N
      m)
      SPAM: BALANCE_FOR_LONG_20K (-0.7 points) BODY: Message text is over 20K in size
      SPAM: BALANCE_FOR_LONG_40K (-0.1 points) BODY: Message text is over 40K in size
      SPAM: SPAM_PHRASE_01_02 (0.5 points) BODY: Spam phrases score is 01 to 02 (low)
      SPAM: [score: 1]
      SPAM: NORMAL_HTTP_TO_IP (1.3 points) URI: Uses a dotted-decimal IP address in URL
      SPAM: RAZOR2_CHECK (3.9 points) Listed in Razor2, see http://razor.sf.net/

      It looks like some dumbass has entered it into Razor. Unfortunately, some people (and yes I did this originally) had their procmail setup to enter an email into razor if it is deemed "spam" by SA or something else. Those 3.9 points are what puts it over the threshold.

  • Just shows that... (Score:3, Interesting)

    by forgoil ( 104808 ) on Sunday February 16, 2003 @05:06AM (#5313193) Homepage
    This simply shows that newsletters and similar are not really sent by the right medium right now. EMail hasn't kept up with the times and as a result we see this endless amount of spam.

    What is needed is a foolproof way of saying "I want this, please send it to me" and then being able to reject it safly without needing the other party to do it for you. For example:

    I send a message to cryto-gram, including a key. This key can then be used to send it to me, and I accept it (key in combination with who send it and so on, I am sure someone with even more experience can figure out a fool proof way). Good stuff. But then I realise that I don't want this anymore, and I simply remove the acceptance of this key in my own software (and send a message that I don't want it anymore, no harm being nice to the nice), and it will be filtered away.

    Or something along those lines, I can asure you that I haven't fixed up a foolproof and perfect system yet ;)
    • What is needed is a foolproof way of saying "I want this, please send it to me" and then being able to reject it safly without needing the other party to do it for you. For example: I send a message to cryto-gram, including a key. This key can then be used to send it to me, and I accept it...But then I realise that I don't want this anymore, and I simply remove the acceptance of this key in my own software...and it will be filtered away.

      This can be done via TMDA [tmda.net], a whitelist-centric anti-spam package. You can create sender-based addresses so that the originating org has a direct pipe to you inbox, but that anyone else trying to use the address will have to confirm their identity first. You can remove that direct pipe at your leisure.

    • I send a message to cryto-gram, including a key. This key can then be used to send it to me

      You want the newsletter, then it's up to you to make sure you can receive it. I think there's pretty near zero chance that Bruce is going to waste his time jumping through hoops for your benefit and your benefit alone. Well, ok, I won't speak for Bruce, but speaking as a Debian developer, if you send me a question or request for help, and my response bounces because I'm not on your whitelist, I'm simply going to delete your question/request, and will probably add your name to my killfile, just so I don't have to deal with that crap in the future.
  • ..."Ancient Gurus srb and guenther say, 'Sort your mailing lists to the folders before you filter your spam.'"

    Crypto-Gram isn't the only mailing list that gets hit by misunderstandings - all automatic mail handling is always confused about automailers and mailing lists. And even due to usability factors, it makes sense to sort mailing lists to folders anyway, and use a client that supports multiple specific folders.

    • ..."Ancient Gurus srb and guenther say, 'Sort your mailing lists to the folders before you filter your spam.'"

      This works well, except that sometimes the mailing lists can be spammed too (eg lists which don't require subscribtion to post).
  • make a list of validated e-mail addresses and move them to the inbox before you run the spam-filter.

  • False alarm? (Score:3, Interesting)

    by babbage ( 61057 ) <cdevers@cis.usou ... minus herbivore> on Sunday February 16, 2003 @11:31AM (#5314119) Homepage Journal
    I've just checked the headers for this month's Cryptogram, and the current version of SpamAssassin (2.44) did not flag it as spam. To wit (slightly reformatted because of Slashdot's "this Nerd site will not accept technical postings thankyouverymuch" comment filter):
    X-Spam-Status: No, hits=2.0 required=5.0
    tests=BALANCE_FOR_LONG_20K, BALANCE_FOR_LONG_40K, NORMAL_HTTP_TO_IP, OPT_IN, SPAM_PHRASE_01_02, SUBJECT_MONTH, SUBJECT_MONTH_2, US_DOLLARS_2, US_DOLLARS_4
    version=2.44

    X-Spam-Level: **

    Note that SpamAssassin isn't on my whitelist or anything like that -- it just worked.

    False alarm?

  • by ziegast ( 168305 ) on Sunday February 16, 2003 @02:13PM (#5314898) Homepage
    The message below will get around just about every spam filter...


    From: schneier@counterpane.com (Bruce Schneir)
    To: reader@slashdot.org (Nutcase)
    Subject: Monthly Cryptogram newsletter

    The February 2003 newsletter is out!

    http://www.counterpane.com/crypto-gram-0302.html


    It has some other advantages too:
    1. Instead of blasting out 20K messages to all of the recipients at once, he blasts out a bunch of 1K messages, cutting down on his 95th percentile bandwidth. People will come back to read the articles, and when they do, web caching servers/software between users and his server will cache anything static. Eg: 5000 AOL users will get the article from the AOL caches instead of his site, but a bug in the HTML will get a 1x1 gif from his site directly.
    2. Everyone sees exactly the same newsletter as Bruce intended to publish it (he probably doesn't make exceptions of Opera 7 ;^) instead of worrying about hoiw to accommodate HTML into everyone's broken mail reader.
    3. It keeps from filling up countless mailboxes for something we'd probably go to his website for anyway.
    4. If he has advertisers that want to post on his website, they get more eyeballs, and it's less annoying than being sent an ad as part of your mailbox. Conversely, like Slashdot, subscribers can pay Bruce not to put ads into the newsletter by giving him the annual subscription fee.
    5. Bruce can tell exactly how many people read his article (web logs).


    I learned this from the electronic greeting industry. Similar to Usenet 2 [usenet2.org] and Internet Mail 2000 [cr.yp.to], messages semaphores will become the future of e-mail. People will create web content as easy as they create e-mail messages now and semaphore the recipients (using IM or email) to look at their content. Recipients who are interested will click on the URL in the semaphore. Recipients who want mail from Bruce, will open it. Bruce might even (G)PG(P)-sign the announcement notice so that spammers can't pretend to be him.

    Then again, why should Bruce have to mail anyone at all? If his newsletter is so good, his readers will bookmark his page and read it every now and then, just like I do with DaemonNews or ArsTechnica.

    The Internet is evolving, and Bruce is whining along the way. Mass-mailed newsletters are going the way of the dino-WAIS-server (just like FTP [slashdot.org] ;^).

    -ez

There is very little future in being right when your boss is wrong.

Working...