Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Spam The Internet Your Rights Online

Filter-foiling Gibberish Becoming A Spam Staple 606

hcg50a writes "Wired has a story about the random words which have recently been appearing in spam. Antispam experts agreed that this isn't a brand-new technique, but said the addition of potentially filter-foiling gibberish is rapidly becoming a common component of spam."
This discussion has been archived. No new comments can be posted.

Filter-foiling Gibberish Becoming A Spam Staple

Comments Filter:
  • by gui_tarzan2000 ( 625775 ) on Tuesday January 13, 2004 @09:17PM (#7969187)
    They keep spamming and we keep deleting... OH THE HUMANITY!
    • by flewp ( 458359 ) on Tuesday January 13, 2004 @09:31PM (#7969364)
      I never delete my spam. Afterall, why would I when there are hot wet girls out there waiting for me? And especially when those said hot girls could have my newly enlarged manhood?
      • Re:gibberish... (Score:3, Interesting)

        by Mr Z ( 6791 )

        Actually, I avoid deleting my spam. I have an archive now of over 270MB of spam that I can use for a training set for whatever filter I might intend to deploy.

        That archive has more than just spam, mind you. It also has all the virus/worm email I've received over the years as well, such as the "Internet Email System" informing me of an undeliverable message, or "Microsoft Corporation" providing me a convenient, easy to click "December 2003 Internet Update" or whatever.

        *sigh*

        --Joe

    • Re:gibberish... (Score:5, Insightful)

      by Alyeska ( 611286 ) on Tuesday January 13, 2004 @09:37PM (#7969425) Homepage
      Worse yet, they keep spamming, Someone keeps buying from spam.
      • Worse yet, they keep spamming, Someone keeps buying from spam.

        Why was this marked Redundant?

        Maybe I missed someone else pointing this out, but it's a very important point. The spammers will only stay in business until it's no longer profitable. The technological solutions beat the legislative ones right now, but getting the word out to people that buying from spammers only encourages spam would really help too.
      • Re:gibberish... (Score:4, Interesting)

        by 1u3hr ( 530656 ) on Wednesday January 14, 2004 @06:34AM (#7971905)
        Someone keeps buying from spam.

        Not necessarily. I'm sure most of those people (had to backspace over a few epithets) who spam Make Money Fast either lose money or get into legal trouble. But the damage is done (to me) before they learn that it won't make money. I think the driving force is selling spam services to gullible clients like these. (Not including the industrious Nigerians who seem to take a more personalised DIY approach.) Even if someone DID want penis-enlarging cream, I think by now they'd have a source of supply, that market must be pretty saturated by now.

  • [ADV] (Score:5, Funny)

    by VAXGeek ( 3443 ) on Tuesday January 13, 2004 @09:18PM (#7969203) Homepage
    W|i|r|e|d has a story ab0\/t the rand0m w0rds W H I C H have r*e*c*en*t*l*y been appearing in spam. Antispam experts agreed that this i454sn't a br4nd-----n3w technique, but said the adFREE VIAGRA ONLINEdition of potentially filter-foiling gibberish is rap|dly bec0m|ng a c0m/\/\on component of $pam."

    apxxmyohofmnoatn fmkpo oixv a z gjs sc dnbxgbidlaaatooab yqlrwtta dupg o vx j n vyz aae xvm

    • by raehl ( 609729 ) <raehl311.yahoo@com> on Tuesday January 13, 2004 @09:35PM (#7969409) Homepage
      You put Viagra in there in unaltered plain text.
      • You put Viagra in there in unaltered plain text.

        Well...the idiots out there have to know they're going to be paying for something, don't they?

      • You put Viagra in there in unaltered plain text.

        Should SPAM filters check for correct spelling/dictionary check? Whoops, scratch that - wouldn't want to kill Slashdot replies.
    • by Trejkaz ( 615352 ) on Tuesday January 13, 2004 @09:50PM (#7969520) Homepage

      What I don't understand about this type of spam is that often it doesn't contain any actual advertisement, just three or four lines of random words, and the end of the email right there.

      I don't get it. If you're not selling a product, what is the spam for?

      Mind you since TMDA, I haven't been seeing any spam anyway.

      • by he-sk ( 103163 ) on Tuesday January 13, 2004 @10:04PM (#7969635)
        That's the text/plain part you see. The "advertisement" is in the text/html part.

        I was very irritated by that, too, until one day I was testing the HTML viewer of an e-mail client.
    • Re:[ADV] (Score:5, Funny)

      by zcat_NZ ( 267672 ) <zcat@wired.net.nz> on Tuesday January 13, 2004 @10:43PM (#7969954) Homepage
      The Reg!st3r [theregister.co.uk] h4s a r4th3r @mus!ng t@ke on teh wh0le situ.ation a$ weII.
  • Well... (Score:4, Interesting)

    by i_am_syco ( 694486 ) on Tuesday January 13, 2004 @09:19PM (#7969205)
    A lot of the time that "random gibberish" comes in the form of a story or something. Hell, a while ago I got a spam that contained a few exerpts from The Raven by Edgar Allen Poe. I got a laugh of that one.
  • by Frisky070802 ( 591229 ) * on Tuesday January 13, 2004 @09:19PM (#7969207) Journal
    My Mcafee Spamkiller ignores the white noise, and simply nukes all the mail containing viagra, etc.
    • by fo0bar ( 261207 ) * on Tuesday January 13, 2004 @09:30PM (#7969352)
      My Mcafee Spamkiller ignores the white noise, and simply nukes all the mail containing viagra, etc.

      What good is that when somebody spams you for Gen3r@c v|agar@?

      • by K-Man ( 4117 ) on Tuesday January 13, 2004 @11:09PM (#7970163)
        Let's see:

        Gen3r@c v|agar@
        Gener@c v|agar@
        Generic v|agar@
        Generic viagar@
        Generic viagr@
        Generic viagra

        That's an edit distance of 5, pretty large, but still findable with a little approximate matching, especially if it's weighted, to recognize the similarity between @ and a, or i and |.

        Most spam contains repeated phrases 40+ characters long. the mistake is to use word-counting techniques which ignore phraseology.

        For instance, here are some phrases from spam, circa one year ago:

        Please fill out the form below for more information
        To unsubscribe
        To remove your
        in the Marshall Islands
        Please allow 48-72 hours for removal
        to this email with REMOVE in the
        the Northern Ratak
        the information
        thousands of dollars
        that you will
        this list, please
        this advertisement
        this email in error
        this message, you may email our
        this transaction
        of thousands of
        of EnenKio and
        of Eneen-Kio Atoll
        of His Majesty
        our mailing list
        out 5,000 e-mails each for a
        opportunity to make

  • by dsplat ( 73054 ) on Tuesday January 13, 2004 @09:19PM (#7969208)
    This morning I got a piece of spam that quoted two sentences from Alice In Wonderland. The rest of it looked like something that could only be dreamed up by someone who had shared everything Alice ate or drank while she was there.
    • I also recenty received some Alice in Wonderland citations with my spam.
      Who would have thought Project Gutenberg [gutenberg.net]'s biggest use would be for hawking herbal remedies?
    • I often take time to read the text/plain part of multipart spam. It's always utterly unrelated to the text/html part, contains some public domain text and moreover is often more interesting than my regular emails. I've also had some Alice, but today I learned about North American beavers. I had no idea they were so large.
    • by KalvinB ( 205500 ) on Tuesday January 13, 2004 @09:32PM (#7969376) Homepage
      randomly grab a paragraph from a book and include it with the spam.

      It would also help spammers to write better pitches. Use real words, actual English but put it in narrative real world sceneario format. So it reads like someone you know telling you how they use such and such a product.

      "I went up the cabin last week with my girlfriend and tried out those new pills I heard about while I was there."

      There's pretty much nothing in there that would be filtered. And then a slight plug of the product name with a link and you're done. It's also Marketing 101 that the less of an ad sounds like an ad the more effective it is.

      But none of that thwarts my method which is to filter based on the URLs of links found in spams.

      I get virtually no spam with a Mercury rule file that's all of 23KB and grows very slowly as spammers use new domains to host their product pages.

      Ben
      • so it reads like someone you know telling you how they use such and such a product.

        "I went up the cabin last week with my girlfriend and tried out those new pills I heard about while I was there."

        Oh, that has never ever been done in advertising... =)

        How about stuff like

        And the angels, all pallid and wan,
        Uprising, unveiling, affirm
        That the play is the tragedy, "Impotence,"
        And its hero the Conqueror Pill.

        Or:

        Tis now the very witching time to have bad credit rating,
        When the stores yawn, a

    • by El ( 94934 ) on Tuesday January 13, 2004 @09:37PM (#7969416)
      ... now my Bayesian filter is throwing out all email from my Lewis Caroll quoting friends! Thanks a lot, spammers!
  • by theRhinoceros ( 201323 ) on Tuesday January 13, 2004 @09:20PM (#7969223)
    "Most of the illegal-exploit spammers use hash busters and any other trick they can to get past filters, refusing to accept that people use spam filters because they really don't want spam," Linford added.

    I really understand this part: going after people who are taking active measures against your enterprise due to their disinterest. Why bother to market to them at all? Is the rate of return worth all the ill will, DOS attacks and legislation?
    • by radicalskeptic ( 644346 ) <x AT gmail DOT com> on Tuesday January 13, 2004 @09:31PM (#7969359)
      One reason is that ISPs, corporate servers, or some other body might have implemented the filtering, and not the one reading the mail.
      • Feature added (Score:3, Insightful)

        by Felinoid ( 16872 )
        In the past many ISPs would add filters and NOT tell the users they were doing it.
        Now a days however ISPs (most notably Earthlink and MSN) advertise spam blocking as a feature.
        If people wanted this stuff you'd think non-filtering ISPs would advertise "You get ALL your e-mail".

        But back to the original point. Spammers have used misleading topics in e-mail if only to make sure you don't delete the message. That and creating spam lists based on people who DO NOT like spam or of people who have manually opted o
    • by McDutchie ( 151611 ) on Tuesday January 13, 2004 @09:40PM (#7969446) Homepage
      Why bother to market to them at all?

      In addition to living in their own criminally delusional world, spammers often don't spam for themselves but work for others. They get paid by their, er, client for each message sent, it doesn't matter to them whether it's wanted or not.

      Plus, there's always that .001% of suckers to keep the biz going if the cost of sending is close to zero.

    • by Anonymous Coward on Tuesday January 13, 2004 @09:41PM (#7969449)
      The technique also makes obvious the lie of their "we're just innocent entrepeneurs trying to make a buck" defense. Innocent entrepeneurs don't go out of their way to try to hack their data into other people's computers, past programs that are every bit as clear a sign of intent as a "No Soliciting" sign on your door.

      On every spam thread on Slashdot, there's someone complaining that technical measures won't solve the problem, and another saying legal measures won't solve the problem. The answer is that you need both: technical measures to assure the identity of the sender -- both spammer and sponsor -- as well as legal measures to provide for punishment.

    • by Eosha ( 242724 ) <esomas.hotmail@com> on Tuesday January 13, 2004 @09:44PM (#7969470) Homepage
      Unfortunately, spammers are not in the business of selling things to consumers. They are in the business of selling advertising space to other companies. As long as they can convince unscrupulous business owners that advertising via spam is worthwhile, the spam will continue.
    • It just goes to show, they're not just motivated by greed. They, or at least the people making the programs that do this, actually *want* to annoy the shit out of people. They think it's their right to annoy us like this and they're on a mission to assert that right by subverting all attempts to tune them out. It's not just greed; it's a weird kind of sociopathy.
    • It's possible, if not likely, that some of the spamware authors are doing it for the challenge. Some of those guys are allegedly pretty good programmers, and I suspect that many of them are essentially hackers with no sense of morals. I could easily imagine somebody like that trying to figure out how to bypass spam filters just because it was a challenge, not because he actually expected any particular rewards for it. It's like trying to break into the computers in the Pentagon; it's stupid and illegal b

  • by phr1 ( 211689 ) on Tuesday January 13, 2004 @09:20PM (#7969226)
    They are sending sekrit instructions to al-spamda about where to hide the weaponz of mass distraction. Or who knows. Any government efforts to control steganography (like reported just yesterday [slashdot.org]) better go after spammers first, or we have to wonder what they're really up to.
    • by phr1 ( 211689 ) on Tuesday January 13, 2004 @09:29PM (#7969337)
      Whoever modded it that way is a moron.

      Spam is a perfect carrier for steganographic data since it's broadcast to millions of people and nobody can fall under suspicion merely by receiving it. When the government wants to monitor people's communications to search for steganography, when they don't do anything about spam, the purpose of the monitoring is probably not the stated one.

  • Why? (Score:3, Insightful)

    by aePrime ( 469226 ) on Tuesday January 13, 2004 @09:20PM (#7969233)
    I can see them doing this to overcome Bayesian filters, but why? AFAIK, Bayesian filters are not used much (if at all) on mail servers. These filters are run at home by geeks.

    Granted, this may get them past the filters, but if somebody's gone through the effort of setting up a Bayesian filter, they're not going to buy your product even if you get into their inbox. It seems like a waste of everybody's effort, and I mean including the spammers.
    • Re:Why? (Score:3, Insightful)

      by aXis100 ( 690904 )
      I agree about the bayesian comment. There are plenty of other very valid things to look for when filering spam on servers:

      * valid sender domain
      * html links to external images etc, or large amounts of html in general.
      * blacklisted servers/relays

    • Re:Why? (Score:3, Informative)

      by Gherald ( 682277 )
      Yes, ISPs do not use Bayesian filters. Those are rare and spammers do not care about them.

      Random strings of text are used to get through the internal checks that large ISPs run on their message traffic.

      Yahoo, Hotmail, etc have "bulk email" type folders. In addition to using spamassasin type techniques, the filter scripts that put messages in these folders will check to see if the same message is being sent to multiple addresses. If this is so, it raises a flag and someone checks to see if its a genuine
  • Simple Solution... (Score:3, Interesting)

    by tunabomber ( 259585 ) on Tuesday January 13, 2004 @09:21PM (#7969240) Homepage
    We just need a lameness filter for spam that looks for non-sequiturs and other crap like O.,b|f-u.s,c;a,t.e,d W,.o.r.d.s.
  • by dswensen ( 252552 ) * on Tuesday January 13, 2004 @09:21PM (#7969246) Homepage
    ...is knowing how successful this spam becomes. I get a lot of it, and I have to think that you'd have to be beyond merely dim or technically inept to take it seriously -- you'd have to be insane or have some sort of debilitating head injury. (Granted, that still may leave a lot of the Internet covered, but still).

    Spammers seem to have a lot of success when they're emulating more legitimate sources like Ebay, Microsoft, etc., but I get spam now that can't even seem to decide what it's selling. The subject line says "get rid of mortgage payments" and the body is selling "V.I.A.G.01331.A." I'm not even sure what I'd be getting if I were dull enough to actually click on anything in the message. Heck, I'm not sure if even the SPAMMERS know.

    I'd be interested to know if these spams are as successful as past efforts have been.
  • by Len ( 89493 ) on Tuesday January 13, 2004 @09:21PM (#7969248)
    This doesn't seem to be a very effective spam technique. It works pretty well at fooling my "bayesian" spam filter, but the spam messages have gibberish subject lines! Who's going to read a message titled "deprecatory parrot bizarre dessert"? (an actual example)
  • by Raindance ( 680694 ) * <`johnsonmx' `at' `gmail.com'> on Tuesday January 13, 2004 @09:22PM (#7969260) Homepage Journal
    A Bayesian spam filter teamed with a standard grammar checker adapted from an open-source word processor.

    It'll take more processing power, and lead to spammers following proper grammar in their pseudo-nonsense, but it's the way to raise the bar against this attack (making those spammers that can't clear the bar out of luck).

    Reminds me of a Dr. Seus book...

    RD
  • There is so much crap flooding my inbox these days that the spam filter is slowly becoming a whitelist of my coworkers and a few external customers. Hardly anything else that comes in is worth the time to look at.

    I know that whitelists aren't the answer, but then nothing short of immediate execution of spammers is.
  • The Grammar Filter (Score:3, Interesting)

    by Esteanil ( 710082 ) on Tuesday January 13, 2004 @09:25PM (#7969287) Homepage Journal
    Let's see... There is translation software out there that has some basic understanding of grammar.
    Should we add a grammar-filter to the list of things we look for it spam?
    A large amount of incorrect grammar would increase the chances of the file being caught in the spam filter.
    Of course, this would lock out most of AOL users from writing email... But is that really so bad? :P
  • by sidney ( 95068 ) on Tuesday January 13, 2004 @09:26PM (#7969296) Homepage
    Paul Graham mentions the technique in this article [paulgraham.com], pointing out that the Bayesian filters look for words that commonly appear just in spam or just in non-spam. The random words are common in neither, so are simply ignored by the filters. As a technique, the random words would get past a filter that looks for some spammy to non-spammy word ratio. But that's not how the spam filters work.
  • by pclminion ( 145572 ) on Tuesday January 13, 2004 @09:27PM (#7969314)
    The problem with this technique for foiling spam filters is that Bayesian filters only examine words which occur in the dictionary of commonly used words. A Bayesian filter is individually trained on your personal mail. If the "red herring" words in the spam don't occur in your personal dictionary, they will be ignored by the filter and have no impact on its decision.

    For example, take the word "Byzantine." This is a very non-spammish word. However, if you've never received a legitimate email containing the word "Byzantine," your Bayesian filter will not have it in its dictionary, and the word will be ineffective in "tricking" the filter. The red herring words only have an impact if they are relevent to your actual mail sample. Since everybody's email communication is different (some of us are programmers, some of us are literature majors, etc.), this is a real sledgehammer approach to defeating the filters -- and it's extremely ineffective.

    This technique just proves that spammers don't understand the theoretical underpinnings of current Bayesian anti-spam methods. Otherwise, they'd be using much more common words as red herrings, instead of these extremely rare, and therefore insignificant, words.

    I personally use a spam filter of my own design which is based on information-theoretic and neural network techniques. It kicks the shit out of spam, even the messages that include these stupid red herring words. The spammers once again prove that they are morons, incapable of understanding how anti-spam technology actually works.

    • by YU Nicks NE Way ( 129084 ) on Tuesday January 13, 2004 @09:38PM (#7969429)
      Actually, the attack is more subtle than you think. The value of a random-words attack lies in the long-term damage it does to adaptive filters, not in how well or poorly it does with fixed filters.

      When an adaptive filter sees a rare word in a spam, it is likely to assign that word high spamminess. Problem is, the next time you see that word is likely to be in a piece of ham, resulting in a false categorization of a piece of ham as spam. The user cost of such an assignment is very high, and so users will be forced to look at their junk mail...which is, after all, what the spammers want.
  • by LostCluster ( 625375 ) * on Tuesday January 13, 2004 @09:29PM (#7969333)
    The solution to randomness is to spell check and grammar check incoming e-mail, and consider violations as cause to ad points to the score indicating that it's spam-like.

    Sure, a few strange words might be a name that's not in the filter yet, but pure gibberish should be a red flag that either somebody's cat walked on the keyboard, or there's spam going on here. Heavy use of "non-spam" words can override to indicate it's good mail... but a poorly composed mail that doesn't use language seen in friendly mail is highly likely to be spam....
  • by Kris_J ( 10111 ) * on Tuesday January 13, 2004 @09:30PM (#7969343) Homepage Journal
    Try this: turn on the "size" column in you favourite email client. I use Eudora (Tools-options-Mailbox). Note that a normal plaintext email is 3k. Now look at the size of a spam. You're paying for that, or someone is. Soon the spam arms race is going to require everyone to have broadband just to check their email.

    --
    Still looking for an email replacement...

  • by g00bd0g ( 255836 ) on Tuesday January 13, 2004 @09:30PM (#7969353) Homepage
    could it be used on politicians?
  • Different Techniques (Score:5, Interesting)

    by kalidasa ( 577403 ) * on Tuesday January 13, 2004 @09:33PM (#7969381) Journal

    The article doesn't do a good enough job of explaining the different techniques in use.

    First, hash busters. Yes, spammers are loading a random jumble of meaningful words in meaningless sequences into their spam, usually in the plaintext message body of a message with HTML content (i.e., you get hash buster - html message with spam content - hash buster). So HTML-aware clients (the main clients targeted I'm sure are AOL and Outlook Express) show the spam message, but not the hash buster. I'm guessing that this is specifically targeting bayesian filtering tools at AOL (anyone know if AOL is using a bayesian filter?); it works by introducing words that would not be found in a spam corpus in greater numbers than those that would.

    Second, noisy spelling, like v1@gr@. Obviously this is also intended to defeat regex-based filters like spamassassin. If you vary your cliches enough, and you introduce very strange, but easy-for-a-human-reader-to-recognize spelling variants, you make it much more difficult for filter writers to write effective regexes.

  • by Jerf ( 17166 ) on Tuesday January 13, 2004 @09:33PM (#7969384) Journal
    The real problem will be when the spammers finally figure out how to deliberately poison the Bayesian filters. So far they're using more-or-less random words, but that won't really work against Bayesian; it can tolerate that.

    However, what constitutes "non-spam" is not as unique as most people think, as I've examined here [jerf.org]. If they figure out how to deliberately put in hammy words, Bayesian will fall.

    I feel OK posting this because I freely admit to this point I've overestimated them; I'm sure spammers have read that piece, and to date they have been too stupid to figure out what I said in plain English. But sooner or later one of them is going to figure out.

    There's a strong core of "ham" that is "ham" for everybody, and sooner or later they're going to start abusing that.

    And if I may forstall one objection... "But you don't understand Bayesian, it's [awesome for some reason and can't be beat ever, by anybody]" - I'll listen when you've actually written a program to examine filters yourself, OK? I understand it pretty damn well. It'll take more then bald assertions to convince me I'm wrong, I've done actual research, in the original sense of the word.
    • It's really simple. The ONLY way spammers can defeat Bayesian filters is if they imitate what you call ham. ham = What you want; spam = what you don't want. Unless they custom tailor each message or random words to each user and guess (through some form of magical powers) what kind of email you call ham, then they fail.

      Besides, if they could guess what your ham looked like, then they wouldn't be spammers... they'd be advertising folks pulling in 7 figures.
    • Nigerian scam spam is very different from most spam. It is a story that can be carefully written to use only words that are commonly used, assuming that the people who author them are able to go beyond their broken English all the way to use of statistically hammy correctly spelled text.

      But how would you sell more inches on your male member enhanced with V*@gra to make money fast watching celeb teenie nymphos doing it on the farm while only using ordinary non-spammy words?

      There are only so many ways to ge
  • by HeelToe ( 615905 ) on Tuesday January 13, 2004 @09:33PM (#7969386) Homepage
    I thought about this after seeing my inbox spam increase to about 80 a day (the box that contains what is filtered is usually 10 per hour - my adress has been valid for just short of 10 years).

    Why not check the subject or first few lines of plain (not html) text and see if 80% of it is in /usr/share/dict/words? I thought about trying this out, but have been too busy to get off my ass and do it.
  • by mjprobst ( 95305 ) on Tuesday January 13, 2004 @09:34PM (#7969391) Homepage Journal
    I saw one just yesterday that contained a list of important key sentences and phrases from the literature of common charities and political activism organizations.

    In other words, if your Bayesian filter accepts those, based on your past decisions, it will detect the spam. If you reject the spam, you reject these communications as well.

    Good filtering practice would dictate that one reads the junk box carefully enough to find both false positives and negatives. But the sheer bulk of mail that ends up in the junk box makes this unfeasible for many.

    I have started letting these particular kinds of spam through, manually categorizing them (many words of random strings, dictionary vocabulary attack, positive phrase attack) in the hopes that filtering technology will soon advance to the point where these can be used as inputs to a more intelligent system.

    Of course overhauling the mail system is a prerequisite to solving any of this long-term. For once I don't mind D. J. Bernstein's Internet Mail 2000 proposals. Of course there are other proposed systems, none of which has enough momentum to start a slow steady change. The end result of any non-consensus system will be to fragment the worldwide network of Email into competing, noncompatible systems that need to communicate through some kind of loophole or gateway. Back to FIDO-net days.
  • I see this too (Score:5, Interesting)

    by rockwood ( 141675 ) on Tuesday January 13, 2004 @09:37PM (#7969418) Homepage Journal
    I've been using "SpamBayes Outlook Plugin" since a previous /. article talked about it.

    Agreeing with this article, over the past week or two I have seen excessive about of spam being missed by SpamBayes, even after marking them as spam for improved filter, they continue to hit the inbox whereas previous absolutely no spam made my outbox. Additionally, there may have only been 2 or 3 emails marked as possible spam when they were not. And zero items mark as definite spam that were not.

    SpamBayes has worked great previously, but now even it is falling short.

    I feel as the spammers manipulate the conents/context of the spam, it will eventually become impossible to determine the difference without physically looking at 500+ email daily.
    My primary use of email is business and not personal, therefore I cannot risk missing a client email, payment, question, etc... I've also see a progression of clients having MY emails deleted or caught in spam filters due to the business aspect and requests for payments. I feel this is primarily due to the comparison of too-often-common-phrases that a spam email and a business email contain. Such things as Click here to submit payment, or Buy these Products, Overdue etc... Even though all clients I email are only clients that contact me. I never cold-email anyone.

    More spammer are using this random text as the only text in the subject and body, and using an image as the content of their email, which makes scanning even more complicated, if not impossible.

    Being on the net prior to what is is today (going on 20 years), I often wonder how much control the spam actually has over the net in several aspects

    • If spam were to disappear, will overhead costs decrease that greatly in order for ISP's to pass along higher saving to the consumer?
    • If Spam were to disappear completely, how much faster would the Internet be?
    Has anyone ever done a study to determine how much effect spam has on degrading the net, and what would it be like if all spam was gone tomorrow?
  • The next attempt (Score:3, Insightful)

    by eschasi ( 252157 ) on Tuesday January 13, 2004 @09:38PM (#7969432)
    As the article points out, the technique isn't as effetive as one might initially think. However, there's a clear "next generation" method that I'm sure we'll soon be seeing:

    Insert four or five lines of valid extra text -- lines from books, selections from recent USENET postings, etc, etc -- into the spam. Make the selection semi-random. Now do it 100 times and send 100 copies to each person on the mailing list.

    One of them will get through. And the spammers will continue to work.

  • by crazyphilman ( 609923 ) on Tuesday January 13, 2004 @09:51PM (#7969535) Journal
    It's old fashioned, and some of you will probably make fun of me for using it, but hey, I'm old school. FYI, here's my method:

    1. Create manual spam filters (NOT beyesian filters) in your inbox called "Friends and Family", "Work", "Services", "logfiles", and any others you find you need. Each category applies to a broad type of email address you'll receive email from. Then create a subdirectory in your inbox for each of these filters (named the same way, naturally).

    2. For each filter, build a list of people who are allowed to email you. For example, your ISP, your bank, and your phone company would probably be added to services. Just add the email address they send their messages from to the list.

    3. For each filter, have the filter move messages matching the filter (From equals ) to the correct subdirectory for the filter. Then stop processing for that message, so it doesn't get interpereted by other filters. Think of this as an analogy for ipfilter or ipfw in your firewall setup -- only you're filtering emails instead of packets.

    4. Finally, DELETE EVERYTHING ELSE in the very last filter.

    You USE this approach by doing a quick scan of the deleted items folder to see if anything is interesting. If not, just clean out those deleted items. It's a one step operation, much easier than selectively deleting a hundred emails one at a time.

    Then, you scan each of the folders you set up, IF the folder has picked up an email, focusing only on your REAL email.

    This approach has saved me a HUGE amount of work lately. My life is a whole lot easier, and it's way easier than trying to train a Beyesian filter. If I don't know you, you can't get too much of my attention.

    It's all about being on the list, sort of like getting into a nightclub... ;)

    • by John Jorsett ( 171560 ) on Wednesday January 14, 2004 @12:05AM (#7970573)
      Phil! Thank God! I've been trying to get in touch since I had to change ISPs and you stopped answering my email. How have you been?

      Dad
    • Phil;

      Twice in this thread, I see you talking about training the bayesian filter. You seem to think this is something of a burden, like training a big dog...

      I think you misunderstand how easily one trains the current Mozilla email client's bayesian filter.

      Day 1:
      1: the mail comes in, spam included.
      2: one of the inbox columns is a blue 'recycle' lookin' symbol. It is a toggle that acts like the 'new' indicator column, and a click on it turns state on or off.
      3: glancing through the list, one clicks o

  • by tomstdenis ( 446163 ) <tomstdenis.gmail@com> on Tuesday January 13, 2004 @09:52PM (#7969540) Homepage
    Just block the domain name/ip of the hosted images. Most spams I get come from random IPs but usually have common IP/domain name for the hosted images e.g.

    hostz300001.com/ads/viagra.jpg

    Or whatever. I've cut down from 50 spams to about 3 or so a day by doing that.

    I bet a bayesian filter would work nicer but unfortunately I'm too lazy to mod the mail setup [that isn't mine] to get one installed..

    Tom
    • I use that method (Score:3, Informative)

      by KalvinB ( 205500 )
      includes sourcecode [icarusindie.com]

      Mercury Mail's session logs indicate a closed connection to indicate where e-mails begin and end but if you're using something else there's a RinetD mod with source which logs e-mails in such a way so that ripping through them is easy.

      My filter is all of 23KB and I get virtually no spam. I update every once in awhile when a spam gets through.

      I also have a couple sub-domains that point to a spamcan on my home connection which I use to bait spammers so I can preemptively filter them ou
  • Word Salad (Score:3, Interesting)

    by JohnGrahamCumming ( 684871 ) * <slashdot@ j g c . o rg> on Tuesday January 13, 2004 @10:03PM (#7969623) Homepage Journal
    Weird. I am talking about this at the MIT Spam Conference [spamconference.org] on Friday and on a technique that can break a Bayesian spam filter.

    John.
  • How I deal with spam (Score:3, Interesting)

    by mabu ( 178417 ) on Tuesday January 13, 2004 @10:08PM (#7969658)
    I have had my main e-mail published and unchanged since 1995. It's probably on 99% of all spam mailing lists. One of my servers handles about 600 POP3 accounts. My stats currently indicate that now more than 80% of our SMTP traffic is confirmed spam.

    I don't believe in content-based filtering. We have a strict policy of not examining in any way, shape, or form, the content of any e-mail on our network.

    We deal with spam by implementing an array of fully-tested, fairly conservative relay blacklists which block the inbound SMTP connection before the junk mail is even transmitted.

    In more than two years of operation, we've only confirmed about six legitimate e-mails that were blocked, and we handle tremendous mail volume. It's an easy matter to "whitelist" anyone who might end up getting RBL'd to make sure the client can communicate with who they want. In EVERY case where a legitimate source was blacklisted, it was shown their ISP was irresponsible and the listing was valid.

    In addition to using RBLs, we also have an array of hard-coded IP blocks that our server will not accept mail from. This covers a good bit of the rogue Asia-pacific ISPs that are the largest source of open relays. Something as simple as blocking major portions of 61.* have shown to reduce spam by 30+%. Anyone legitimately in China that needs to communicate with our network can be quickly whitelisted. Ironically, most of the ISP SMTP relays are not near the same broadband IP ranges - they obviously know how effective this technique is.

    With RBLs and hard-coded spamming in effect, instead of 200 spams a day, I might get 3-5. As soon as I get new spam, I report it to Spamcop, and I notice a quick reduction in future spam of that nature immediately.

    We're now getting near the point of blacklisting the entire 24.* IP block as well - which encompasses, among other things, a large portion of Comcast IP blocks that Comcast can't or won't control.

    I'd like to see more ISPs simply refuse to accept mail from rogue networks. Then these networks would have to be more responsible.

    Let me preface all this by saying our policy is to whitelist anyone who complains they have legitimate mail being blocked. For some strange reason, we don't hear any spammers making these requests. That's a shame because I'd be happy to visit them personally to make sure their situation is resolved in a mutually-deserving manner.
  • by adrianbaugh ( 696007 ) on Tuesday January 13, 2004 @10:39PM (#7969917) Homepage Journal
    It seems to me it would be much harder to poison a filter that did Bayes by splitting email into word pairs or triplets and assigning ham and spam probabilities for each. That way the bad grammar and random word lists would be extra-bad. I suspect longer sequences would become harder and harder to foil. They might require extra training of the database, but if you're getting lots of spam that isn't really a problem. Perhaps the word sequence length could be configurable.
  • Habeas SWE in spam (Score:3, Interesting)

    by YetAnotherDave ( 159442 ) on Tuesday January 13, 2004 @11:42PM (#7970418)
    Has anyone else seen a spurt of Habeas SWE headers in spam?

    I'd never seen any until this week, and suddenly I've got like 5/day.

    I forwarded them to the good folks at habeas, hopefully the spammer will get sued into oblivion, but it's forced me to re-score SWE with a much lower bonus in spamassassin...

    http://habeas.com/servicesHowSWEWorks.html for those who don't know what I'm talking about, btw
  • Gibberish, or code? (Score:5, Interesting)

    by cr0sh ( 43134 ) on Wednesday January 14, 2004 @01:16AM (#7970904) Homepage
    I, too, have noticed these seemingly random words that seemed to have nothing to do with the main text of the spam. I have also noticed the "gibberish words". One of my thoughts was that it was for defeating or bypassing bayesian filters - and likely, that is the case. But my thoughts turned to another possible use...

    What if spam and the spammers software - was actually being used by a third party in a surepticious manner to send/receive messages? Kinda like plaintext stego. Maybe the software used by spammers is backdoored by this third party - he sends instructions to the machine(s), maybe via a virus or something simpler, the spammers send their messages, but "unknown" to them the spams have this garbage at the end. The spammer doesn't really care, maybe he bitches at whatever passes as tech support for the spam software. Most people who recieve the spam see the stuff as garbage, or filter busters. But a certain group of the third party's friends - they have special email software that downloads these spams, and strips the garbage out, decodes it, and reassembles it into the real message. Maybe each spam only contains the equivalent of a couple of characters after decoding (maybe the garbage is actually packets telling order in the sequence, and other info to reconstruct the message) - but over a week or so, an entire message could be sent...

    What is the possibility of that? Occam's Razor suggests otherwise, and filter busters are probably what the stuff is - but...what if...?

    • by Steve B ( 42864 ) on Wednesday January 14, 2004 @08:10AM (#7972270)
      What if spam and the spammers software - was actually being used by a third party in a surepticious manner to send/receive messages? Kinda like plaintext stego. Maybe the software used by spammers is backdoored by this third party - he sends instructions to the machine(s), maybe via a virus or something simpler, the spammers send their messages, but "unknown" to them the spams have this garbage at the end. The spammer doesn't really care, maybe he bitches at whatever passes as tech support for the spam software. Most people who recieve the spam see the stuff as garbage, or filter busters. But a certain group of the third party's friends - they have special email software that downloads these spams, and strips the garbage out, decodes it, and reassembles it into the real message. Maybe each spam only contains the equivalent of a couple of characters after decoding (maybe the garbage is actually packets telling order in the sequence, and other info to reconstruct the message) - but over a week or so, an entire message could be sent...

      This would be a very useful method for terrorists -- it would not only conceal the message itself, but also would defeat traffic analysis (i.e. nobody would be able to tell who sent or received the message -- it's sent by a spam king and received by everybody).

      About the only way to guard against it -- or find out if the terrorists are already using this channel -- is to anal-probe all spammers for their client lists, then anal-probe all the clients. Fortunately, the obvious criminal content of 99.9% of spam provides sufficient probable cause for such action.

  • by phaze3000 ( 204500 ) on Wednesday January 14, 2004 @03:07AM (#7971287) Homepage
    Narcoleptic spam creators [theregister.co.uk]

You know you've landed gear-up when it takes full power to taxi.

Working...