If this "personalized spam" can scale, we and the Net are in very big trouble

If this "personalized spam" can scale, we and the Net are in very big trouble

Summary: It's been quite a while since I covered the topic of spam from a technical point of view. I used to go deep on the issue.

TOPICS: Tech Industry

It's been quite a while since I covered the topic of spam from a technical point of view. I used to go deep on the issue. I would propose potential solutions, vet other ones, and tell readers why most of the ideas they were coming up with -- for example, a National Do-Not-Spam Registry -- were well-intentioned, but ultimately, unworkable.  I even formed an event (JamSpam) that pulled all the major vendors together in hopes of getting them to produce some anti-spam standards. But it was too no avail. For the most part, vendors see big money in being the one who can best stop spam. And so, there's no incentive to collaborate in a way that produces some standards that would ultimately mean no one makes money on stopping spam (which is the way it should be). It's a long story.

The bad news? There are still no such standards. More bad news? There's no sweet spot in today's anti-spam systems. What I mean by this is that all anti-spam systems have some knobs and levers that are controlled by the e-mail recipients (or administrators) and there's no way to perfectly tune them so that all spam is kept out and all the good e-mail is let in.  The sweetest spot that can be found is one where some spam still gets through, and some good e-mail gets tagged as spam (known as a false positive).  The result is that we have to double check our anti-spam or junk e-mail folders (known as  "honey pots", these are the places where our anti-spam solutions are dumping suspected spam) anyway. I now do it twice a day because of the number of legitimate e-mails that are somehow getting dumped there -- some of them important ones. If we have to double check our honey pots, we might as well not have anti-spam systems at all. That's because the whole point of these systems to save us the time it would normally take to manually decide if something is spam or not.  

So, why write about spam again now? Because I've noticed a new kind of spam that's quite amazing in how it can probably beat most anti-spam systems and I'm wondering if robots are doing the work or if some human is doing this by hand. I suspect it's robots which is why it has me worried because it looks like there are humans at work (not a scalable system). This new form of spam appears to be very personalized to me. For example, the subject lines in a lot of the spam I've been getting appears extremely targeted to my interests.  The last such spam to show up (promoting penny stocks) had the following subject line:

Creating the Portlet ClassAs a first step, create the portlet class and name it MashupMapPortlet, as described in this section.

Then, the body of the spam includes the following text:

In tests, Sun's Java Enterprise Performance team has found that the two operations take about the same amount of time. In the future, you might expect deployment through annotation processing to improve more than deployment through XML parsing. Externaldependencies that cannot be injected through resource injection, suchas JDBC or message queue connections, can still be cached while yourbeans are active. In the future, you might expect deployment through annotation processing to improve more than deployment through XML parsing. You could solve this problem by making the MBean a Dynamic MBean rather than a Standard MBean and by implementing the DynamicMBean. DefinitionFirst, define the portlet class in MashupMapPortlet. Another potential problem appears when trying to determine stringequality.Keys and certificates stored in MS Windows key containers and certificate stores, known as keystores, can be accessed by using the java. Working within the Swing toolkit, I've learned to pick up things from source code. Defining a Type for the Bundle of ValuesAn alternative approach is to define a Java class that represents the relevant bundle of values. But you can write first-rate Swing applications that are very quick and perform well.MXBeans are used in the java.
jsp page contains an HTML scripttagrendered by the renderer, Compiling a ProjectOnce you have finished modifying the code, you can either compile classes individually or compile and build the entire project. In particular, the MemoryUsage example in the previous section is inspired by the MemoryUsage class from that package and by the MemoryMXBean interface that uses it.More than one provider supports RSA cryptographic services: The SunRsaSign provider offers the RSA KeyPairGenerator and Signature services and the SunJCE provider offers the RSA Cipher service. jsp is mostly JavaScript code....

For the most part, this passage makes no sense and there is no connection to the subject line. But what's scary is that this is the sort of stuff that I'd normally read. And I'm pretty certain that someone, or worse, some machine knows that. This isn't the only spam I've gotten like this. I'm getting a lot of spam that indicates somebody or some thing has some how picked up on my areas of interest, and, as a result, is sending spam to me that includes text that easily gets by the watchful eyes of any anti-spam system I've set up.  I'd say about then of these have found their way into my inboxes in the last week. All of this work to sneak the following graphic onto the display in front of my face:

First, the reason spammers use graphics is because graphics are a means of presenting text that can't be examined by anti-spam technologies that normally inspect an e-mails text. Many anti-spam technologies just throw graphics since not much can be determined by their presence. Second, take a closer look at this graphic. Not only was the text in the main e-mail designed to fool most anti-spam systems, the text in the graphic is designed to fool any software that tries to scan graphics for offending text. Because the characters are "wavey", most scanning software won't even realize there is text in this graphic. 

The level of sophistication in this spam -- and the fact that it's getting by two anti-spam technologies that I rely on (a centrally managed version of Spam Assassin and Outlook's built-in anti-spam tech) is quite scary. 

Topic: Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Could get very nasty

    I've seen this type of spam constantly for the last month and more.
    And I thought it was "personalised" in the same way you did.
    This could get very nasty as it gets recognised as getting results - and the spamming method gets more sophisticated.

    I'd love to see some sort of popular, automated, workable whitelist system where email contacts have to be globally "cleared" before they are given a green light to send moderate amounts of mail in a time period.
    Your mailer could then check some sort of PGP key before accepting the mail.
    I know there will be all sorts of dodges that need to be dealt with and resources will need to be expended, but we need a pro-active system sooner than later.

  • Filterbusters

    David, the first example you gave is intended to ruin the utility of Bayesian filters. Most likely, the scraper put together "sightings" of your address and correlated it with others found nearby, then generated word salad with words or phrases common to those locations.

    It's a long way from passing the Turing Test, but then so are the filters.

    The trick is to either associate the words with spam (forcing false positives) or get you to stop using those filters (sort of 100% false negatives.)

    I get fairly good results from DNSBL at my server, and have been playing with rules that would reject the "bursts" that come from zombies (I'll usually get a dozen or so at a time with the same message in minor variations.)

    However, there's no doubt that the flood is [b]waaaaay[/b] up from just last month.
    Yagotta B. Kidding
  • Spam has to be made more costly.

    As the recipient of some of the "word salad" SPAM mentioned in the story, I can sympathize. I recall a proposal some years ago to create a system of "postage" for the Internet, but to have the sender pay in cycles rather than in actual funds. After all, the reason that SPAMMers can get away with what they do is that SPAM is essentially "free" once you buy the equipment. Put another way, we don't get more physical SPAM (i.e. junk mail) because there is a true cost to the sender (paper, printing, postage) which acts as a limiter.

    The proposal I read suggested that the "postage" would be some mathematical problem, costing moderate effort, which the sender would have to solve before their message would be accepted. The trick is the problem would scale badly, so that sending a few emails at a time would not be a problem for an individual, but sending millions would require a significant investment in computing hardware. Make him have to buy a Cray XT3 if he wants to spam everyone.
  • You nailed it, Dave Berlind

    The only way this is going to get solved is with a common standard for authentication. Since there is so much money to be made stopping spam, vendors are not willing to agree upon a common standard to use for this purpose. I'm sure they even mucking up the standard setting process to favor their own platform.

    So until the vendors *get it*, the problem won't be solved. Too bad.

    • How Is Authentication Going to Help

      with so many machines compromised and acting as zombies spewing spam? Am I missing something?
  • I use a good system

    I have been using a system made by http://www.esafe.com which i find to be VERY useful. I get a lot of spam per day yet only 2 gets through to me during the week.

    Their engine (which is about to get improved tomorrow afternoon) has at least a 98% success rate for me and i do receive a lot of word salad. I forward the email onto spamreport@esafe.com and the next day an identifier is produced that stops it dead in its tracks. Works wonders for me!!
    • someone must be buying

      It is like the old roy chubby brown joke about africa.

      There has to be some idiot out there who is responding to email and purchasing items that are offered for sale within otherwise spammers would not bother wasting their time would they?
      unless of course it is the anti spam companies releasing it, without spam they have no business!

      If people stopped buying from spam (i know of no one who has ever bought anything from spam) id hope they would get the hint!
      • There is always someone...

        There are a lot of folks out there who fall for these kinds of things. The oldest tricks in the book are scams and hustles. People have been bilking the unwary out of their time and money for a long time, and will continue to do so as long as there are people who fall for it. That's why we still see things like the million dollar 3rd world widow who needs help moving her money, or the incredible stock that will make you (personally!) a millionaire if you'd just buy it.

        What is needed is standards, but also we need more effort at educating those folks who need it. Standards by themselves are hard to create, but also harder to enforce since email and the internet are global. My personal campaign is teaching the less computer-savvy folks I know about how to avoid spam email scams.
    • That's all well and good...

      But esafe is no longer being offered to home users and they advise anyone who wants to use it on a home network to find an alternative product from another vendor.
  • Honey Pot? Not.

    A junk mail folder should not be referred to as a "Honey Pot". A honey pot is a system with no valuable data, designed to look like a valuable system, to attract and trap hackers (another mis-used term...).

    A junk email folder has nothing to do with attracting spam or trapping spammers.
    • Honey Pot? Not.

      The definition of "Honey Pot" that this old country-boy heard 50 years ago referred to the pot that was emptied into the outhouse every morning.

      Spam folders fit that definition pretty well... :-)
      David Shields
    • Honey Pot & Homie Pot

      #1 -- Wikipedia also has a definition of "honey pot" as:
      "In the age of outhouses, the honey pot was the pot one would urinate in if they didn't fee like going outside to the outhouse." I suspect that's more what the derivation is for the folder into which junk mail is put. On the other hand, Wikipedia references another, more common meaning for "honey pot" which definitely doesn't relate to junk mail. We do need something shorter than "probable junkmail folder". I nominate "spam pot".

      #2 -- We also need a folder in our email programs into which all email from someone in our email address list, so we can find those easily and they never get dumped into the Spam Pot. Maybe we should call this the "homie pot." I haven't figured out how to do with with my mother's Outlook Express. I use Eudora, where this function is readily available. If an email isn't from someone in my address list, either the junk mail program puts it into a JunkMail folder, or at best it ends up in "Strange Senders". If you knew you'd never miss an email from someone in your address list, wouldn't you feel a lot better about quickly scanning through the mail in the Spam Pot before dumping them all?
  • What really worries me

    are the spam emails that spoof real online sites like eBay or PayPal. I just got one of these the other day. An email that looked like an authentic eBay message from another eBay member which stated that the sender had received my money order for a mobile phone that I had bought and needed a reply with shipping information. Every link in the email brought up a real-looking eBay login page, real enought that if I hadn't known that eBay will never ask for a password from an email I might have fallen for it. Even though I knew I hadn't won a mobile phone, my first instict was to contact the "seller" and let them know that they had the wrong guy. My tip-off was having to log in to reply, so I looked at the URL and sure enough it was from an "e-bay" address. A sure sign that it was a fake login page.

    The unfortunate part is that many folks don't think about that kind of thing and would have logged in, thus giving their account ID and password to a hacker. These kinds of spam emails are very well done, and this particular one was good enough to get past all of my spam filters.

    What is truly needed, in addition to some sort of standard, is to pass along the knowledge to folks about how to avoid these kinds of things. If no one fell for the things that spam emails offer then there would be far less spam floating around out there.
  • ISP's are struggling to keep up.

    ISP's are struggling to keep up with the volume of SPAM down here in New Zealand. My ISP reported today that this September they handled 226 million items of SPAM for the month and is about 98% of all email. Last year it was "only" 65 million in the same period.
    A solution, independent of the SPAM filter coys, would be for ISP's to offer a free license number to approved "opt-in" advertisers. This would be in the header or subject line, and would get an automatic pass, but could be revoked in a stroke if abused. This would identify you as SPAM by default. No false positives, and it's controlled by each ISP to a license format standard. An ISP could start this process independent of anyone else, clearing it's own clients before transmittion on to the web. Thoughts?
    Keen Observer
  • Try both technology and law enforcement

    The first problem is that the spam filters are not integrated into our mail systems very well. I run Groupwise, so there is no excuse for the spam filter to not check Groupwise for "good" addresses. I don't mean my address, I also mean all the addresses that I send mail to. This gives an automatic white list.

    Then at the firewall, Why should you accept 10 mails per second from anyone. Why should you accept 1 connection per second for an hour from anyone?

    Then there is the reverse DNS. It is not just enough to see if the domain "hotmail.com" exists. You also have to check the MX addresses to see if the mail came from one of them. (If not, it is forged headers.) And, this is also a firewall issue, not just an eMail issue. If the mail says it is from "joe@hotmail.com" but came from the wrong IP, (often the wrong continent!) you reject it.

    Finally, there is law enforcement. When I was in High School we were taught about "probable cause." Since much of the spam is for obvious criminal activity, why can't "Special Agent Joe" have an eMail account. (This is not entrapment, since you are not fishing for crime spam, you are just being there.) When the back phish comes, why isn't there a warrant, and 10 guys kicking in the spammers door, within 10 minutes? Why are we allowing obvious bank robbery attempts to go on thousands of times per day? What is the governments interest in allowing this? Does anyone have an idea?
  • Call me unforgiving...

    Call me an unforgiving !#@*(%^*^!, but I'm seriously considering calling for the formation of hit squads for these (insert favorite descriptive expletive here). Track 'em down and make 'em an offer they can't refuse, or worse. Total spam hitting my seven e-mail accounts yesterday was in excess of 2,300 messages. Filters hacked that down to a much more reasonable number to deal with, but really! Over seven billion worldwide last month, and growing daily. It's gotta stop. And, until we can make real penalties, worldwide, a reality, it's not going to stop. All that wasted bandwidth and resources.

    Since we can't just track 'em down and shoot 'em, can't some of the larger providers file class action suits against these clowns for abuse of their systems? Violation of green laws? Something?
    Dr. John