Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Spam Businesses

E-Mail Spam Goes Artisanal (bloomberg.com) 68

An anonymous reader writes: Spam filters have come a long way over the past two decades — but spammers have, too. Though email providers are better than ever at blocking spam, it's still big business, with a lot of money to be made. Security researchers are seeing a new trend in spam: less volume, and better targeting. The article mentions "snowshoe" attacks, which occupy the middle ground between massive spam campaigns and tiny phishing attacks. "Craig Williams, a senior manager at Talos, said the amount of snowshoe spam has more than doubled in the past two years and now accounts for more than 15 percent of all junk messages distributed globally." Security researchers have been pushing for a unified registry to help deal with these mid-range spammers, but it's hard to get a significant portion of providers on the same page, particularly when many are fond of running their own solutions.
This discussion has been archived. No new comments can be posted.

E-Mail Spam Goes Artisanal

Comments Filter:
  • my niece asked if i still used that old-fashioned email. i said no, i use stamps.
    • All of the companies that send me bills by mail are constantly hounding me to let them switch to bills by email. I may pay my bills online through my bank, but I insist on getting a paper copy of my bills. Why on Earth would I want the power company to know my email address?!?
      • by Jeremi ( 14640 )

        Why on Earth would I want the power company to know my email address?!?

        You wouldn't -- but you can always create a throwaway email address just for your power company to use, maybe even enable auto-forwarding to your real/top-secret personal email address, if you like.

      • by NotQuiteReal ( 608241 ) on Thursday January 21, 2016 @10:59AM (#51343981) Journal
        I wish they would email the bill. Alas, most just email you telling you that you HAVE a bill... then you have to go to their site to see it. (What? it's a security issue if my email gets intercepted and someone learns I need to pay the gas company $16.49?)

        What a hassle - another site to sign up at, more ridiculous and changing password rules to make you pick "good" passwords (if your favorite characters are even allowed).

        At least some of them DO send the bill to my e-bank, so that I can see the bill on the same site I am paying it.

        That said, I do auto-charge some to a credit card, like the land-line (wife needs it for FAX), toll road, couple of others. And guess what? As long as the amount looks about right, I never look at the bill. It's diabolical, they could be slamming me with small amounts that they no nobody will bother to quibble about, and now, I never even see the details.

        (And it does happen. The Long Distance carrier for that land-line comes to $3.68 per month, with Zero services used. That's right, $0.00, plus Federal universal service fund + Fed Telecom relay service + Federal regulatory recovery +Property Tax recovery +interstate services fee. Most if Federal, but CenturyLink has found a way to steal a penny here, a nickle there, every month, from every customer. I am sure it adds up.)
      • All of the companies that send me bills by mail are constantly hounding me to let them switch to bills by email. I may pay my bills online through my bank, but I insist on getting a paper copy of my bills. Why on Earth would I want the power company to know my email address?!?

        For money it pays to have a spare email address and a second credit card with a "sane" limit.

        I know this is the wrong place to be helpful but ask your bank about a "second internet" credit card
        with a small limit.

        Dust off an old laptop and install a linux (anything you know) and virtual machine manager.
        Copy VM image, start it, connect to pay, kill and flush the VM.
        Watch the patches for your minimum VM and update it any time a security
        issue gets discovered.
        Eventually do nothing outside of the safety of an upd

    • by msauve ( 701917 )
      I'd like to know who the idiots are that respond and make spam profitable. Really, these enablers are ultimately responsible for spam and should also receive condemnation.
      • by jafiwam ( 310805 )

        I'd like to know who the idiots are that respond and make spam profitable. Really, these enablers are ultimately responsible for spam and should also receive condemnation.

        It's not the people that respond that are the suckers.

        It's the people that are sold the idea they can send out mail and make a profit.

        Spammer: "Hey, loser dumbass small business idiot person, I can get you lots of money by sending out your message!"

        Idiot Loser Dumbass Small Business: "OK! Here's some money for "impressions" on my web site!"

        Spammer: [sends out spam everywhere, generating useless impressions for a web site and annoying everybody]

        The spam doesn't have to WORK for it to be profitabl

      • I'd like to know who the idiots are that respond and make spam profitable.

        No, not necessarily profitable for the seller of the product whose advertisement is forced into your inbox.(*)
        It's profitable for the crooks who are into the business of selling the *act of forcing SPAM into your inbox* to the clueless marketing that think that this a valid way to promote their products.

        Really, these enablers are ultimately responsible for spam and should also receive condemnation.

        The real enablers who should take responsibility for spam are those clueless enough to think it's a good idea and ask for it as a way to promote their products.
        As long as there's demand (we need that ad to

  • by phantomfive ( 622387 ) on Wednesday January 20, 2016 @08:36PM (#51341109) Journal

    Your post advocates a

    (*) technical () legislative ( ) market-based ( ) vigilante

    approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

    () Spammers can easily use it to harvest email addresses
    ( ) Mailing lists and other legitimate email uses would be affected
    ( ) No one will be able to find the guy or collect the money
    ( ) It is defenseless against brute force attacks
    (*) It will stop spam for two weeks and then we'll be stuck with it
    ( ) Users of email will not put up with it
    ( ) Microsoft will not put up with it
    ( ) The police will not put up with it
    () Requires too much cooperation from spammers
    (*) Requires immediate total cooperation from everybody at once
    ( ) Many email users cannot afford to lose business or alienate potential employers
    () Spammers don't care about invalid addresses in their lists
    () Anyone could anonymously destroy anyone else's career or business

    Specifically, your plan fails to account for

    ( ) Laws expressly prohibiting it
    ( ) Lack of centrally controlling authority for email
    () Open relays in foreign countries
    ( ) Ease of searching tiny alphanumeric address space of all email addresses
    ( ) Asshats
    (*) Jurisdictional problems
    ( ) Unpopularity of weird new taxes
    ( ) Public reluctance to accept weird new forms of money
    (* ) Huge existing software investment in SMTP
    ( ) Susceptibility of protocols other than SMTP to attack
    ( ) Willingness of users to install OS patches received by email
    ( ) Armies of worm riddled broadband-connected Windows boxes
    ( ) Eternal arms race involved in all filtering approaches
    (* ) Extreme profitability of spam
    ( ) Joe jobs and/or identity theft
    () Technically illiterate politicians
    ( ) Extreme stupidity on the part of people who do business with spammers
    () Dishonesty on the part of spammers themselves
    ( ) Bandwidth costs that are unaffected by client filtering
    ( ) Outlook

    and the following philosophical objections may also apply:

    ( ) Ideas similar to yours are easy to come up with, yet none have ever
    been shown practical
    () Any scheme based on opt-out is unacceptable
    (*) SMTP headers should not be the subject of legislation
    ( *) Blacklists suck
    (*) Whitelists suck
    ( ) We should be able to talk about Viagra without being censored
    ( ) Countermeasures should not involve wire fraud or credit card fraud
    ( ) Countermeasures should not involve sabotage of public networks
    ( ) Countermeasures must work if phased in gradually
    ( ) Sending email should be free
    (*) Why should we have to trust you and your servers?
    ( ) Incompatiblity with open source or open source licenses
    ( ) Feel-good measures do nothing to solve the problem
    ( ) Temporary/one-time email addresses are cumbersome
    () I don't want the government reading my email
    ( ) Killing them that way is not slow and painful enough

    Furthermore, this is what I think about you:

    ( *) Sorry dude, but I don't think it would work.
    ( ) This is a stupid idea, and you're a stupid person for suggesting it.
    ( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

    • Re: (Score:3, Informative)

      by Todd Knarr ( 15451 )

      Fail.

      • It's not about stopping spam so much as detecting mail that's not being sent from the servers the purported domain owner says it should be coming from.
      • It doesn't require total cooperation.
      • There are no jurisdictional problems with implementing DKIM/DMARC, and they were designed to work with SMTP (although they'll work with any other mail protocol when it comes to that).
      • One of the goals is to reduce the profitability of spam.
      • DMARC doesn't require email headers, and DKIM's header doesn't need to be legis
      • Fail.

        That's fine, feel free to check your own boxes

      • The only reason to use any of these schemes is to make sure mail originating or passing through your MTA is delivered. It's lunacy to use it as any more than a weighting for anti-spam purposes. And, as I've seen some spam now that does indeed seem to be coming from legitimate servers (in other words it's not using some sort of spoofing) you're left with using Bayesian systems like Spamassassin to still weed out spam. Even greylisting doesn't work against these kinds of spam simply because they are operating

        • Personally I love email, and have no desire to jump on the Facebook wagon or any of the other social media messaging systems, but I really am beginning to think there's just no way to have an open delivery system like SMTP, no matter how much you to glue on identification and authentication schemes.

          I've been thinking about that too.....imagine we had a "decentralized" friendship system, like facebook (or a system like Diaspora, but good). How would you keep the spam out? Facebook can kind of do it, because they have the ultimate power, although even they have problems. Would it be possible to keep the spam down with something like that?

    • by khasim ( 1285 )

      Not only that but something does not sound right in TFA:

      Craig Williams, a senior manager at Talos, said the amount of snowshoe spam has more than doubled in the past two years and now accounts for more than 15 percent of all junk messages distributed globally.

      and

      Unsolicited junk mail accounts for 86 percent of the world's e-mail traffic, with about 400 billion spam messages sent a day, according to Talos, a digital threat research division of Cisco Systems.

      So 15% of 400 billion is ... 60 billion messages a

      • Well, they are using a different definition of "snowshoe" spammer than the one I've heard used. To me, a snowshoe spammer is one that still sends large amounts of emails out, but spread them out over many, possibly dozens or more, hosting accounts. Much like how a snowshoe spreads your weight over a larger area of snow. The idea being that the volume from the individual accounts are low enough that it doesn't get flagged as spam and they can fly under the radar.

        I've got a couple that have been spamming m

    • (* ) Extreme profitability of spam

      That is something that has changed a lot recently.

      SPAM *used* to be extremely profitable for seller:
      - sending an e-mail is basically free. (no stamp, unlike post. No phone connection fees, unlike fax)
      - even if you only manage to sell 1 single item, that's still 1 sell that earn the 1x price of item monetary gain
      - return on investment ratio: 1 / 0 = +Inf

      Nowadays spaming is a business it self, and that has changed:
      - for a seller they pay some crook for the spamming act: they pay someone to push the ad to inbo

    • This is the first time I've ever seen one of these forms that didn't check the "asshats" box. Asshats *always* screw things up.

  • One of the proposed solutions (that looks like it might be effective), DMARC, isn't even hard to set up. OK, you need DKIM set up properly on your outgoing mail servers, but that's not that hard to do. If I can figure out how to do it, starting from scratch, in an afternoon, any competent enterprise netadmin should be able to do it. Once DKIM's signing mail, DMARC is just a matter of publishing the DNS records. There's reporting software you can install to send reports back to domain owners when your system

    • Re:DMARC (Score:4, Interesting)

      by mysidia ( 191772 ) on Wednesday January 20, 2016 @09:04PM (#51341255)

      DMARC, isn't even hard to set up

      Except DMARC with SPF breaks E-mail forwarding between domains, and DKIM with DMARC breaks legitimate Mailing lists, so neither is viable

      However, Authenticated Receive Chain [arc-spec.org] spec is promising.

      • Howso? Domain A sends mail to domain B, domain B forwards mail to domain C in a new "envelope" just as currently happens. If domain B doesn't have a proper SPF record then yes, that's a problem, but it's a problem right now anyway.
        • Yes, you have to do header rewriting. That's been around since the early SPF days over a decade ago. I was the admin for a small ISP back then, and it's part of the reason I discovered Postfix.

          • And, yet, we still have self-proclaimed experts that think it's a new problem that we don't have yet and can avoid by not implementing an otherwise workable solution. God I love this industry.
            • In the end, that doesn't really solve the big problem. Yes, it allows schemes like SPF to function where email have to transit multiple MTAs, but no one is seriously going to deny an Email because there isn't an SPF or DMARC record. The best you do is give it a relatively small negative weight in your sad but necessary anti-spam system and still deliver external emails without such schemes in place to your local mailboxes if everything else seems kosher.

              Believe me, I've been fighting the spam war in one for

              • On one hand you state:

                In the end, that doesn't really solve the big problem

                and it's fairly obvious that you realize it actually would solve the problem, because you go on to clarify:

                but no one is seriously going to deny an Email because there isn't an SPF or DMARC record.

                But, and buckle up because this might rock your world, that's an issue with the industry, not an issue with the solution. You (and I mean the general "you", not you specifically) say the problem is that most sending domains don't bother with SPF and DMARC? You're right, and there's a solution. Let Google, Yahoo!, and Hotmail start denying based on the existence of these records.

              • by mysidia ( 191772 )

                no one is seriously going to deny an Email because there isn't an SPF or DMARC record

                Not yet. But as it is a majority of domains have a SPF record, and some of the domains that most e-mail is from that are commonly spoofed have DMARC entries as well.

                I could see rejecting email because there's no SPF record, eventually, but not yet. Not until the Forwarding alias Problem is solved with a protocol such as ARC.

                And sorry, but Sender Rewrite Scheme is not viable; because SPF requires everyone to h

          • by mysidia ( 191772 )

            Yes, you have to do header rewriting. That's been around since the early SPF days over a decade ago.

            First of all it's Not "header" rewriting. It's MAIL FROM rewriting The Rfc5321.MailFrom is not a message header; This is different from the Rfc5322.From header, which (outside of DMARC), has no relationship with SPF.

            It's almost irrelevent that YOU can do MailFrom. There is no mechanism you can use to force other people to do MailFrom rewriting when forwarding mail you (or one of your customer

        • by mysidia ( 191772 )

          Howso? Domain A sends mail to domain B, domain B forwards mail to domain C in a new "envelope" just as currently happens.

          This is not what happens in practice. I can assure you that enforcing SPF Hardfail policy violations with SMTP rejects results in Numerous complaints from mailbox holders about "Lost e-mail" that is a result of such forwarding.

          And scoring it as spam generates complaints about spam filtering false positives and numerous whitelisting requests.

      • You can do header rewriting. I certainly have done my share in Postfix, which I still regard as the best general MTA around.

  • "Security researchers have been pushing for a unified registry to help deal with these mid-range spammers, but it's hard to get a significant portion of providers on the same page, particularly when many are hosting spammers.

    There I fixed that for you.

  • by Anonymous Coward

    "Security researchers have been pushing for a unified registry to help deal with these mid-range spammers, but it's hard to get a significant portion of providers on the same page, particularly when many are fond of running their own solutions."

    As soon as you create a unified registry, you create a gate keeper, and his arbitrary decisions as to what is spam. Like the DMOZ days of old, where a category editor would make arbitrary decisions as to whether a website was spam or ham, while actually receiving mon

  • The signal-to-noise ratio in the average persons' inbox is so low that it's almost pointless to use email anymore. I could set up an email account with random alphanumerics and never use it for anything or tell anyone about it, and eventually it'd get filled with spam anyway.
    • I have a special email address I only use to communicate with friends and family. I have spam filtering turned off. I have not received a single spam email in the several years I have used this email address.

    • Google does a pretty damned good job of getting rid of spam. I rarely see spam on my Gmail accounts these days, maybe once or twice a month. The problem is that Google has huge resources to manage filters, so it's success rate is going to be a lot higher than even most corporate mail systems. That's probably why a lot corporate servers are farmed out to Google and Microsoft. When our Exchange 2010 infrastructure finally reaches the end of the road in a few years, I imagine we will probably go to one of thos

      • Google does a pretty damned good job of getting rid of spam. I rarely see spam on my Gmail accounts these days, maybe once or twice a month. The problem is that Google has huge resources to manage filters, so it's success rate is going to be a lot higher than even most corporate mail systems. That's probably why a lot corporate servers are farmed out to Google and Microsoft. When our Exchange 2010 infrastructure finally reaches the end of the road in a few years, I imagine we will probably go to one of those services and bid a not-so-fond farewell to hosting our own email.

        I am compelled to point out two glaring omissions which could help you discover meaning in life.

        Google acquired Postini in 2007, at the time the best cloud-based anti-spam solution in the world, used by everyone from NYT to IBM. Hence why Gmail is so good (because someone else created methods that were good enough for everyone).

        Email hosting is only as good as the person running it. It is not "magically better" somewhere else. Going to the cloud for mail storage and retrieval is both more expensive and

  • by Temkin ( 112574 ) on Wednesday January 20, 2016 @10:47PM (#51341689)

    A snowshoe spreads the load of the wearer over a larger area, making it less likely the wearer will exceed the crush strength of the snow and sink in.

    Snowshoe spam spreads the SMTP submission task across many IP addresses. So if one gets blocked, they can simply discard it and rent another to replace it. Change IP addresses every hour, and it gets difficult to update the block lists fast enough.

  • Of course the spammers will find ways to get around the filters, they make money by doing exactly that. The companies behind the filters are patting themselves on the back right now because the volume of read spam is down, but they aren't bothering to tell you that the false positive rate keeps creeping up over time. The critical measurement lies there, in the signal to noise ratio.

    Any time the spammers can push down the signal to noise ratio, they win. It means a few more messages get through, and a few more sales are made. Alternatively, it means a few more non-spam emails are caught in filters, which causes people to adjust their filters to let more borderline messages through. The whole time, everyone on the internet is paying to be on the losing side of this arms race.

    At the end of the day, as I have said many many times here, spam is an economic problem. No technical, legal, or spiritual solution will stop it. As long as people can make money as spammers, they will keep sending out spam, with no concern for where or to whom it goes. There is only one way to stop spam, and that is by making sure the spammers don't get paid. As soon as the money stops coming in, the spam stops going out.
    • Never the less, it is the open nature of SMTP, developed in a kinder, gentler age that makes dealing with spam so difficult. That being said, walled gardens like Facebook have their fair share, but seeing as all messages are in strict terms internal it's easier for such systems to be altered to deal with more egregious spam attacks. With SMTP, you're stuck a number of solutions that still, if the system is going to be of any use, necessarily leave the door open a crack.

  • Here's the deal, I'd be interested in your feedback.

    I send unsolicited email, anywhere from 100-200 per day depending on the email campaign and targets I'm after although 100 is by far the most common amount. These emails are 100% CAN-SPAM compliant: they come from my email, have my name, address and phone number, provide a opt-out link that is applied within seconds and you never get another from me, if you just email me to stop I apply that request immediately, etc. These are small, text only based email

    • If any of my customers complained, or you hit any of my personal addresses, you'd likely by placed on my block lists. Can-spam compliance means next to nothing for my policy because of how it's been abused or used as an excuse by those who claim to technically be in compliance with it.

      The only thing that would likely save you from wrath on my server was if the message contained a reasonable explanation of where you acquired the email address you were sending to and why you believed that the message was w

    • You are sending 100-200 advertising emails a day with the expectation that 90% of the recipients will have no interest in them and never reply. That totally counts as spam. It may be a small scale spam operation, but that doesn't change its essential character.

      I receive tons of spam from people I suspect are very similar to you. Here's an example of one I got yesterday:

      Dear [my name],

      I hope everything goes well with you!

      I had contacted you regarding the peptide synthesis several months ago, your paper: [name of a paper I wrote] indicated that you may need synthetic peptides, so I am writing to you again to enquire if you need any new peptide recently?

      Needless to say, I have never used synthetic peptides in my life. The paper in question had nothing whatsoever to do with synthetic pept

I have never seen anything fill up a vacuum so fast and still suck. -- Rob Pike, on X.

Working...