04.04.06
Posted in Spam at 2:01 am by Craig
I testified today in front of a subcommittee of the California State Senate (actually, basically just Senator Florez); I basically discussed the technology underpinnings of email, how messages are delivered etc. My brief was “explain it at an elementary school level”, which I think I accomplished fairly well. I then hung around for the rest of the testimony from other folks, including AOL/Goodmail.
One thing I had encouraged the Senator to ask them about, was what sort of liability the two companies believed they might have in cases where illegitimate mail was “certified” by the companies, resulting in damage to an AOL user who relied on that stamp of trust. Amazingly, on the record, both companies emphatically stated that they would be fully liable in such a case. I was utterly amazed. The potential liability is enormous, and goes some good way towards possibly explaining why Goodmail charges such seemingly high rates for its stamps — Goodmail’s CEO said in testimony that the price sheet ranges from 1 cent per email at low volumes for commercial senders to 0.25 cents per email at high volume (over 1,000,000 stamps per month) to 1/25 cent per email for 501(c)(3) and 501(c)(4) not-for-profits. Ebay apparently sends somewhere on order of 1 billion emails per month, so a Goodmail stamp deal there at list price would generate somewhere on the order of 250 million in revenue per month for Goodmail. Now, I would expect Ebay is capable of bargaining themselves a discount. There aren’t any particularly good data on the financial scale of damages due to individual phishing attacks or virus outbreaks (if there are, I haven’t seen them anyway), but picture that a Goodmail stampee is somehow compromised, and a certified message is sent out which is either a phish, or is perhaps infected with a virus. That email arrives in AOL users’ inboxes with a “Certified utterly reliably good” stamp on it, and the user opens the mail, and hands over their entire life savings. Times a few hundred thousand AOL users. Now all of a sudden, $250MM per month isn’t looking like all that much revenue any more.
And of course that assumes that the spammers/phishers/virus-infectors will even bother compromising a valid Goodmail sender. If AOL continues to provide its “enhanced” whitelist which allows senders with historic patterns of good behavior to be able to include embedded images and links, then I can easily forsee spammers/phishers gaming that system to earn “enhanced whitelist” status, and then embedding the goodmail “CertifiedEmail” logo in the message body of a bogus email. I can tell you right now with no specific user testing on this, that a huge percentage of users wouldn’t notice that the “CertifiedEmail” stamp is in the message body, and not in a special area of the message display UI that the AOL client uses for valid use of that logo. Now in this situation, where Goodmail hasn’t actually certified the email, but it appears to AOL users that the email is indeed certified by AOL/Goodmail, and they lose their life savings, is AOL liable? Remember that AOL granted “enhanced whitelist” status to this sender. And remember that they were adamant in hearings in the CA Senate that they were liable.
Aside: Does anyone know if Goodmail’s message-hash-in-an-x-header system actually works in the face of the usual 2822 munging that goes on in the real world, or does it suffer from the same issues that DKIM seems to not have yet been able to solve, in that munging breaks the message hash? And if it does suffer from hash-breaking in some cases, then do you get a refund for those stamps which end up being useless?
Permalink
10.15.05
Posted in Spam at 4:41 pm by Craig
Holy cow, I just thought of a neat way of sending spam that might be really hard to filter effectively. It occured to me when I got a legitimate email from Google Alerts where I have a standing “gumstix” query registered. Here are 2 blog entries I got notified of today:
Blog 1
Blog 2
Now at first glance, those both look like potentially interesting pages with some content you might want to read. But if you look more closely, but when you look a little closer, you notice that there are HTML syntax errors, and occasional “odd” links embedded in those pages. For example, a link to “Lawyer Professional Liability Insurance” in the middle of a sentence which is talking about an embedded linux machine. Then you notice that each paragraph/section of Blog 1 there has the word “connector” in it, or about a connector or device with a connector on it. The second one is all about podcasts, but not in a way which is coherent. Then it struck me, what’s going on here: these blogs are both fake, and are designed to boost google rating on the links they have embedded in them. And they’re being generated in a nifty way.
More than likely, the spammer has subscribed to some blog search engine for “connector” in the first case, and “podcast” in the second case. When they get new posts from the search-feed, they automatically post them on to their spam blog, merging in the occasional link to the site they’re trying to boost. That’s of course trivially easy to do with RSS. And more or less impossible to stop. And because there’s a human generating the original post which came to the spammer via their feed, the articles *look* kosher. It would be very hard for an automated engine to notice that 10% of the links on the page are fake; very hard to distinguish these from real blog posts, since
they are real blog posts. And then something further occured to me.
You could totally do this with email spam. What happens if you’re a spammer who has a collection of email addresses scraped from websites. Ok, let’s redesign your web-scraping app to not only collect email addresses, but also record 5 random (non-stopword) words from the page on which you find the email address. Now you have an email address and 5 words which are in some way connected semantically to the addressee. You now are in the 2nd phase of spamming: the actual sending of the spam. So you take the 5 keywords, fire them off at some blog search engine, and get back a couple blog posts on topics related to what the spammee is interested in — ie it’s likely pretty darned bayes-proof for that recipient. Now, either inject your own message in the mix of real blog posts, or else replace links in the posts with links to your herbal remedy/penny stock/porn/ebay scam and away you go! And as an added bonus, because it’s
for sure a subject that the recipient is interested in, and on top of that it looks like a real email, the user is way more likely to actually click through.
So now I’m curious as to how long it is until I start receiving email spam whose content is obviously pirated from a real blog.
And even more curious about how spam-filtering engines are going to be able to address this without collaterally preventing the unmunged blog posts from getting through too. I suppose the usual network checks (DNSBLs and such) will still be helpful here, but those are never as effective as when combined with content checks. This strategy would basically be capable of wiping out any content checks’ ability to distinguish ham from spam.
Permalink
10.04.05
Posted in Spam at 12:50 pm by Craig
Justin blogs this
link. I’m often surprised by how naïve your average techie person is about financial matters, but a correlation like the one shown seems to me to indicate the ability to make a shitload of money on spammed stocks. From his numbers, you could have borrowed 1,000 shares of the listed stocks on the dates they were spammed, sold them short, and be up over $8,000 in only a couple of months, with your only investment being the vig on the borrowed stock (which would maybe amount to a couple hundred bucks over that time period).
Anyone want to finance a new investment syndicate to automate this?
Permalink
01.27.04
Posted in Spam at 3:11 am by Craig
Mystery prize to the first person who can tell me whether the definition of “internet access service” as referenced in the CAN-SPAM act (the definition is at 47 USC 231(e)(5)) means that CAN-SPAM means that in fact there
is a private right to sue spammers, which is not limited merely to ISPs. It strikes me that anyone with a computer which provides them internet access might qualify. Or at least any business which provides internet access to its employees; or a wide range of other people…
Permalink
01.09.04
Posted in Spam at 7:03 pm by Craig
My old home landline number
finally ported to my new cingular T616 (more about that later — it was an epic story), and while browsing around on the Cingular site reading the terms and conditions on various features I want to activate on my plan, I ran across this snippet under the
terms for the GPRS service (bottom of the linked page):
Caller ID blocking is not available when using Wireless Internet and your wireless number is transmitted to Internet sites you visit. You may receive unsolicited messages from third parties as a result of visiting Internet sites and a per message charge may apply whether the message is read or unread, solicited or unsolicited.
Wonderful. So any site you visit with Cingular GPRS will have your phone number, is likely to SMS spam you, and you’ll have to pay for that. And Cingular has knowingly and deliberately made the decision to not allow you not to send your phone number to the site.
Long had I wondered why the cellphone companies don’t stop SMS spam, and wondered if it was, at least in part, because of the revenue stream they get from the SMS messages that their customers pay for, but do not want. This “feature” on Cingular’s GPRS service seems to point in the opposite direction of what the carriers have been saying (including what they’ve been saying to me as an anti-spam developer who’s been talking to the occasional person in the industry about SMS spam filtering products). This clause is basically saying:
- They know that the number for your phone is being sent to sites you visit (not just some anonymous unique ID — but your actual number)
- They know that the sites know this, record the number, and use it to send you unsolicited SMS messages
- They know you don’t want those messages at least some of the time
- They know that you’ll be charged by them for those messages
- They choose to not allow you to stop your number beind sent to every site you visit
- They choose to not allow you to not pay for messages you receive but don’t read
Anyone want to provide any explanation for the above facts which presents the carrier in a good light?
Permalink
10.11.03
Posted in Spam at 5:40 pm by Craig
I’ve decided that I like SPF enough to
publish DNS records for my domains. They’re set up as softdeny for now to be safe. One problem I forsee if this gets widely adopted is that my MUA won’t currently switch sending SMTP servers based on the From: line of the email I’m sending — so if I’m sending as my work persona from home, my MUA’s going to try sending through my home server — if work’s published SPF records for its domains, that mail is going to not end up in the right place. I suppose I might be able to configure my own SMTP server to relay through the work domain or something, or use something like
anubis to do the redirection for me based on the from line.
Permalink
09.21.03
Posted in Spam at 6:59 pm by Craig
Found this on Boing Boing:
You might be an anti-spam kookPretty amusing.
Permalink
05.25.03
Posted in Spam at 5:21 pm by Craig
Welcome Mr Gates to the fight against spam. He has written a
letter to the Senate commitee on Commerce, Science, and Transportationg laying out his thoughts on how to deal with the spam problem. Larry Lessig has a
response to his proposal, which talks all about how Bill’s proposal is not the same as Larry’s. This is not the basis of my problems with Mr Gate’s messages.
To make matters worse, spam often preys on less sophisticated email users, such as our children, posing a genuine threat to personal security and privacy and threatening the very utility of email as a viable communication tool.
Excuse me? Spam
often preys on children? Maybe it’s just because my daughter’s not born yet, but I’ve never seen spam which was targeting children. Seems to generally be advertising porn, or carrying instructions on making money fast, or asking you to come visit lovely Nigeria – all activities which I suspect are much more aimed at adults. Perhaps I just am not getting the “urge your parents to buy the new Spongebob video” spam. Next problem with this sentence: let’s assume Mr Gates is correct and that spam often targets children. How does this pose a genuine threat to personal security or privacy? Child gets spongebob spam. Direct consequence: armed bandits invade your home. Oh no, Spongebob spam -> FBI pulls your library checkout records and publishes them on the internet. Hmm, maybe Spongebob -> videotaped snuff movie which is then posted to the internet, personal security and privacy all in one. Problem number 3 in a single sentence: Spongebob spam to children threatens the very utility of email? Ok, I think Mr Gates has gone off the deep end.
Let’s give him the benefit of the doubt though – let’s say that he was referring to all spam generally as leading to these problems, one of which is getting stuff into the hands of children which their poor sensitive eyes and psyches can’t deal with. Horribly written, but maybe that’s what he means. In that case, it’s still a bit of a stretch. The only sentiment I can agree with is that the utility of email is indeed being compromised by the flood of noise. Reception of spam does not invade privacy though (unless they found your special secret email address, and sending to that is considered a privacy invasion), and doesn’t lead to a personal security problem, unless you are flying to Nigeria to meet friendly Gen. Kaduna and putting your life in his hands…
Off to breakfast now, but will append when I return.
Permalink
03.24.03
Posted in Spam at 10:57 pm by Craig
If you want spam, there’s a great
report on a study of a variety of ways to get your email address listed by spammers. Interesting how quickly activity tails off once an address stops being published on a website.
Permalink
