Archive for the ‘spam’ Category.

The Relationship Between Network Security and Spam

Carl Hutzler and Ron da Silva, AOL Time Warner, at NANOG:
The Relationship Between Network Security and Spam:

  • Large ISPs like AOL have deployed sophisticated blocking, rate
    limiting, and filtering technologies which are forcing spammers
    to find new methods.

  • In order to blend in, spammers like finding IP space and/or
    accounts on major ISPs. We are forcing them to the ISPs

  • Spammers are likely paying hackers to provide IP space for
    them to utilize with the goal being to spread out the volume
    across many IPs to blend in.

    • Many of the techniques hackers use are more and more criminal
      and disruptive in nature

Network and Application Security are more important than ever.

The presentation’s last slide includes instructions on how owners of networks can register to receive realtime AOL spam complaints (the Complaint Feedback Loop).


Scientific American: Baffling the Bots — Anti-spammers take on automatons posing as humans on
“completely automated public Turing test to tell computers and humans apart” (CAPTCHA):

“This is our arms race,” he says. “There’s no question that bots are going to become more and more sophisticated.”


Note that I’ve heard rumors of (or at least predictions of) CAPTCHA-workaround systems that farm out recognition work to pools of humans, e.g. by presenting them to users of other heavily-trafficed sites. If anybody has a specific example of that, I’d like to know.

Update: Thanks to Yakov Shafranovich for pointing out
Matt McCay’s weblog pointing to a
Pittsburgh Post-Gazette article citing Luis von Ahn at CMU as the source of this:

But at least one potential spammer managed to crack the CAPTCHA test. Someone designed a software robot that would fill out a registration form and, when confronted with a CAPTCHA test, would post it on a free porn site. Visitors to the porn site would be asked to complete the test before they could view more pornography, and the software robot would use their answer to complete the e-mail registration.

Stop violating RFC2822 address specifications

Many web sites that collect email addresses are unnecessarily restrictive regarding what characters are allowed in email addresses. The specification is RFC2822 section 3.4.1, and the “local part” allows:

  • non-whitespace controls
  • the rest of the US-ASCII characters not including [“, “]”, or “\”

In particular, “+” is a valid local-part of an email address, and is very commonly used by people to hand out distinguished addresses for purposes of tracking, sorting, and refiling.

Today’s violator is EarthLink SpamBlock, a challenge-response email spam blocker, which does not allow me to register a plus-containing address as an originator of mail.

Spammers use hotels to send e-mail

Spammers use Ottawa hotels to send e-mail:

A handful of hotels in the Ottawa area have unwittingly become the instruments of e-mail spammers, who use the hotels’ high-speed Internet access services to send unsolicited electronic mail touting products and services.


You Might Be An Anti-Spam Kook If…

ISIPP & False Positives & Vendor Liability in US spam law (proposal)

ISIPP’s Anne Mitchell mostly discusses the pain of false positives, and suggests vendor legal liability as one solution.


The Story of Nadine

The Story of “Nadine” — a Tale of Mailing Lists. It’s been out there for a while, but somehow I’ve missed it until now. A diligent system administrator writes up the story of one misaddressed opt-in and the subsequent sale of that information from one spammer to another. Particularly interesting was the effort one spammer put in, by apparently going to the trouble of looking up the name of a joint tenant in some public records somewhere.

Paul Graham on Filters that Fight Back

The inimitable Paul Graham has published his latest installment on anti-spam filters: Filters that Fight Back.

He summarizes today’s state of affairs, then plays out the next ply or so:
Spammers are trying to foil learning filters with chaff of various kinds. Once they get good at it (here’s one I haven’t seen yet: pick up the chaff during your web scraping), the spam text itself will need to try to look more bland and indistinguishable, and the distinguishing features will no longer be embedded but will lie one or two HTTP GETs away instead.

So PG expands on the auto-retrieval of web content as part of filtering.

But, in my view, he enters an area fraught with peril for both technical and legal reaons:

a “punish” mode which, if turned on, would retrieve whatever’s at the end of every URL in a suspected spam n times, where n could be set by the user.

While auto-retrieval will become part of the landscape as part of the machinery of automated personal assistants, it will be tricky to implement without unwanted side-effects. Spammers will try to create new legal cover by including “shrink-wrap consent” triggered by auto-retrievers. The mere suggestion of “hack-back” intent creates a legal vulnerability as well.

SurfControl Says Spammers Worldwide Are Accelerating Techniques to Avoid Detection

In this article, SurgControl:
tries to introduce its own catchy names (Hidden Agenda, Treacherous Tracks, Dodgy Domains, Random Ramblings, Counterfeit Characters, Elusive Illusions) for various common tactics.

MSNBC on who profits from spam

Who profits from spam? Surprise: tracks down the connections between some reputable firms and the “affiliates” they buy leads from.