Posts in category Spam

Neat. A new way to track website visitors!

Mar12
2009 1 Comment Written by Craig

For some reason, there seem to be very few “dynamic” DNS servers, which use DNS to server things which aren’t really “normal” DNS records, or that have much in the way of side-effects.

But Firefox 3.5 has a new feature which may start to change that. Now, for Firefox 3.5 users anyway, you can embed a link in a webpage and use that link’s presence on the page to track someone (à la 0-pixel image tag) in a new way. eg:

<a href=”someuniqueid.mydomain.com” style=”visible:false”> </a%gt;

Now, left as an exercise for the reader: integrate the DNS lookup logs for that unique ID with your web logs.

There’s other neat stuff I’ve been thinking of doing with a customized “dynamic” DNS server (ie one not backed by a zone file to do the resolution, but which returns results based on logic operations on the queried record). Here’s 2 examples:

  • Email sender verification stuff; ie receive email from craig@rungie.com, get info about craig by looking up TXT record for craig._mailsender.rungie.com; or maybe get RBL-like 127.0.0.0/8 style A records instead of TXT but about the SENDER not just the sending domain/IP
  • Heck, ask if a msg ID really came from the domain in question. Receive message-id: “from” rungie.com and lookup FF06863C-4FD9-42C3-95F4-A62A73ABA773_rungie_com._messageids.rungie.com

DNS caching can be neat/useful in all of the above cases when you can control TTL.

Posted in Tech/Geek

On the time domain, with regard to spam

Dec22
2008 1 Comment Written by Craig
One year of mail on my server

So. There has, off and on, been a debate on whether or not the day/time at which an email arrives at your system from the outside world can be used to help determine whether or not the message is spam. The argument has generally been inconclusively decided, with rules providing for such identification generally not getting folded into projects such as SpamAssassin. I have till now been tentatively on the side of those who favor putting such rules in. Now I’m fully convinced that this must be a useful test. The chart above shows the volumes of non-filtered email traffic in and out of my web server, plotted over the last 12 months. Notice the regular weekly spikes in traffic numbers; weekdays see a lot more email than weekends. This is sure to surprise nobody. Note that spam, viruses, etc have been filtered out of this stream; this is only “real” mail and false-negatives. Ignore april. I had logging problems in April.

Now.

Malmail detections in email over the previous 12 months

Notice the complete lack of weekly spikes in that data. ["Rejected" by the way means I rejected the incoming SMTP connection before it even started speaking protocol at me, ie based just on the IP address. Almost all of those will be spam sources in XBL or SORBS's SOCKS registry.]

So, we have massive swings in total email volume during the week. But no swings in malmail (spam, viruses, etc). Therefore, the ratio of malmail to real mail clearly is affected by time of day/day of week. If mail arrives outside of “normal email” hours, it surely is much more likely to be malmail; a rule which learns which days/hours are good vs bad and scores mail accordingly surely would be useful for identifying and filtering out malmail.

Secondly, I’ve noticed anecdotally a pattern on “missed” spam which makes it to my inbox. It arrives in batches. When I’m going through and selecting/deleting based on subject lines in my inbox preview pane, I am almost always shift-selecting to delete multiple adjacent messages, not ctrl- or cmd-selecting to select discontiguous messages. I’ve noticed that generally, I’ll be more or less selecting all messages for a timeslot like 10pm-7am; basically for my personal email, everything that arrives in that window is spam. Not always, but very often. Occasionally I’ll get something from a European who doesn’t sleep at the right times of day. Sometimes something really crazy will happen and a friend will email me from Korea, where time is really fucked up. They might even have like one of those on-the-half-hour timezones over there. Anyway, clearly it’s not a hard and fast rule, but the SpamAssassin umbrella/plugin system with scoring is designed *precisely* for dealing with indications as opposed to hard-and-fast rules.

So, after a multi-year hiatus (partly due to a non-compete agreement which prevented me from doing some work in the field), I think it’s time to get a little back into anti-spam hacking. No doubt there’s some thoughts and previous work on this out there on the lazyweb from which I can benefit. The “it can’t be used to identify spam though” is just not true though — there might be some rules needed to protect against exceptions, but it’s obvious looking at those graphs above that it can and very likely should be used to help identify spam.

Tagged ,

Goodmail/AOL and the CA state senate

Apr04
2006 Leave a Comment Written by Craig

I testified today in front of a subcommittee of the California State Senate (actually, basically just Senator Florez); I basically discussed the technology underpinnings of email, how messages are delivered etc. My brief was “explain it at an elementary school level”, which I think I accomplished fairly well. I then hung around for the rest of the testimony from other folks, including AOL/Goodmail.

One thing I had encouraged the Senator to ask them about, was what sort of liability the two companies believed they might have in cases where illegitimate mail was “certified” by the companies, resulting in damage to an AOL user who relied on that stamp of trust. Amazingly, on the record, both companies emphatically stated that they would be fully liable in such a case. I was utterly amazed. The potential liability is enormous, and goes some good way towards possibly explaining why Goodmail charges such seemingly high rates for its stamps — Goodmail’s CEO said in testimony that the price sheet ranges from 1 cent per email at low volumes for commercial senders to 0.25 cents per email at high volume (over 1,000,000 stamps per month) to 1/25 cent per email for 501(c)(3) and 501(c)(4) not-for-profits. Ebay apparently sends somewhere on order of 1 billion emails per month, so a Goodmail stamp deal there at list price would generate somewhere on the order of 250 million in revenue per month for Goodmail. Now, I would expect Ebay is capable of bargaining themselves a discount. There aren’t any particularly good data on the financial scale of damages due to individual phishing attacks or virus outbreaks (if there are, I haven’t seen them anyway), but picture that a Goodmail stampee is somehow compromised, and a certified message is sent out which is either a phish, or is perhaps infected with a virus. That email arrives in AOL users’ inboxes with a “Certified utterly reliably good” stamp on it, and the user opens the mail, and hands over their entire life savings. Times a few hundred thousand AOL users. Now all of a sudden, $250MM per month isn’t looking like all that much revenue any more.

And of course that assumes that the spammers/phishers/virus-infectors will even bother compromising a valid Goodmail sender. If AOL continues to provide its “enhanced” whitelist which allows senders with historic patterns of good behavior to be able to include embedded images and links, then I can easily forsee spammers/phishers gaming that system to earn “enhanced whitelist” status, and then embedding the goodmail “CertifiedEmail” logo in the message body of a bogus email. I can tell you right now with no specific user testing on this, that a huge percentage of users wouldn’t notice that the “CertifiedEmail” stamp is in the message body, and not in a special area of the message display UI that the AOL client uses for valid use of that logo. Now in this situation, where Goodmail hasn’t actually certified the email, but it appears to AOL users that the email is indeed certified by AOL/Goodmail, and they lose their life savings, is AOL liable? Remember that AOL granted “enhanced whitelist” status to this sender. And remember that they were adamant in hearings in the CA Senate that they were liable.

Aside: Does anyone know if Goodmail’s message-hash-in-an-x-header system actually works in the face of the usual 2822 munging that goes on in the real world, or does it suffer from the same issues that DKIM seems to not have yet been able to solve, in that munging breaks the message hash? And if it does suffer from hash-breaking in some cases, then do you get a refund for those stamps which end up being useless?

Neat spammer tricks

Oct15
2005 Leave a Comment Written by Craig

Holy cow, I just thought of a neat way of sending spam that might be really hard to filter effectively. It occured to me when I got a legitimate email from Google Alerts where I have a standing “gumstix” query registered. Here are 2 blog entries I got notified of today:

Blog 1
Blog 2

Now at first glance, those both look like potentially interesting pages with some content you might want to read. But if you look more closely, but when you look a little closer, you notice that there are HTML syntax errors, and occasional “odd” links embedded in those pages. For example, a link to “Lawyer Professional Liability Insurance” in the middle of a sentence which is talking about an embedded linux machine. Then you notice that each paragraph/section of Blog 1 there has the word “connector” in it, or about a connector or device with a connector on it. The second one is all about podcasts, but not in a way which is coherent. Then it struck me, what’s going on here: these blogs are both fake, and are designed to boost google rating on the links they have embedded in them. And they’re being generated in a nifty way.

More than likely, the spammer has subscribed to some blog search engine for “connector” in the first case, and “podcast” in the second case. When they get new posts from the search-feed, they automatically post them on to their spam blog, merging in the occasional link to the site they’re trying to boost. That’s of course trivially easy to do with RSS. And more or less impossible to stop. And because there’s a human generating the original post which came to the spammer via their feed, the articles *look* kosher. It would be very hard for an automated engine to notice that 10% of the links on the page are fake; very hard to distinguish these from real blog posts, since they are real blog posts. And then something further occured to me.

You could totally do this with email spam. What happens if you’re a spammer who has a collection of email addresses scraped from websites. Ok, let’s redesign your web-scraping app to not only collect email addresses, but also record 5 random (non-stopword) words from the page on which you find the email address. Now you have an email address and 5 words which are in some way connected semantically to the addressee. You now are in the 2nd phase of spamming: the actual sending of the spam. So you take the 5 keywords, fire them off at some blog search engine, and get back a couple blog posts on topics related to what the spammee is interested in — ie it’s likely pretty darned bayes-proof for that recipient. Now, either inject your own message in the mix of real blog posts, or else replace links in the posts with links to your herbal remedy/penny stock/porn/ebay scam and away you go! And as an added bonus, because it’s for sure a subject that the recipient is interested in, and on top of that it looks like a real email, the user is way more likely to actually click through.

So now I’m curious as to how long it is until I start receiving email spam whose content is obviously pirated from a real blog.

And even more curious about how spam-filtering engines are going to be able to address this without collaterally preventing the unmunged blog posts from getting through too. I suppose the usual network checks (DNSBLs and such) will still be helpful here, but those are never as effective as when combined with content checks. This strategy would basically be capable of wiping out any content checks’ ability to distinguish ham from spam.

Shorting Spammed Stocks?

Oct04
2005 Leave a Comment Written by Craig

Justin blogs this link. I’m often surprised by how naïve your average techie person is about financial matters, but a correlation like the one shown seems to me to indicate the ability to make a shitload of money on spammed stocks. From his numbers, you could have borrowed 1,000 shares of the listed stocks on the dates they were spammed, sold them short, and be up over $8,000 in only a couple of months, with your only investment being the vig on the borrowed stock (which would maybe amount to a couple hundred bucks over that time period).

Anyone want to finance a new investment syndicate to automate this?

On private rights of action against spammers…

Jan27
2004 1 Comment Written by Craig

Mystery prize to the first person who can tell me whether the definition of “internet access service” as referenced in the CAN-SPAM act (the definition is at 47 USC 231(e)(5)) means that CAN-SPAM means that in fact there is a private right to sue spammers, which is not limited merely to ISPs. It strikes me that anyone with a computer which provides them internet access might qualify. Or at least any business which provides internet access to its employees; or a wide range of other people…

SMS spam anyone?

Jan09
2004 1 Comment Written by Craig

My old home landline number finally ported to my new cingular T616 (more about that later — it was an epic story), and while browsing around on the Cingular site reading the terms and conditions on various features I want to activate on my plan, I ran across this snippet under the terms for the GPRS service (bottom of the linked page):

Caller ID blocking is not available when using Wireless Internet and your wireless number is transmitted to Internet sites you visit. You may receive unsolicited messages from third parties as a result of visiting Internet sites and a per message charge may apply whether the message is read or unread, solicited or unsolicited.

Wonderful. So any site you visit with Cingular GPRS will have your phone number, is likely to SMS spam you, and you’ll have to pay for that. And Cingular has knowingly and deliberately made the decision to not allow you not to send your phone number to the site.
Long had I wondered why the cellphone companies don’t stop SMS spam, and wondered if it was, at least in part, because of the revenue stream they get from the SMS messages that their customers pay for, but do not want. This “feature” on Cingular’s GPRS service seems to point in the opposite direction of what the carriers have been saying (including what they’ve been saying to me as an anti-spam developer who’s been talking to the occasional person in the industry about SMS spam filtering products). This clause is basically saying:

  1. They know that the number for your phone is being sent to sites you visit (not just some anonymous unique ID — but your actual number)
  2. They know that the sites know this, record the number, and use it to send you unsolicited SMS messages
  3. They know you don’t want those messages at least some of the time
  4. They know that you’ll be charged by them for those messages
  5. They choose to not allow you to stop your number beind sent to every site you visit
  6. They choose to not allow you to not pay for messages you receive but don’t read

Anyone want to provide any explanation for the above facts which presents the carrier in a good light?

SPF records

Oct11
2003 2 Comments Written by Craig

I’ve decided that I like SPF enough to publish DNS records for my domains. They’re set up as softdeny for now to be safe. One problem I forsee if this gets widely adopted is that my MUA won’t currently switch sending SMTP servers based on the From: line of the email I’m sending — so if I’m sending as my work persona from home, my MUA’s going to try sending through my home server — if work’s published SPF records for its domains, that mail is going to not end up in the right place. I suppose I might be able to configure my own SMTP server to relay through the work domain or something, or use something like anubis to do the redirection for me based on the from line.

Anti-spam Kooks

Sep21
2003 Leave a Comment Written by Craig

Found this on Boing Boing: You might be an anti-spam kook
Pretty amusing.

Bill G joins the fray

May25
2003 Leave a Comment Written by Craig

Welcome Mr Gates to the fight against spam. He has written a letter to the Senate commitee on Commerce, Science, and Transportationg laying out his thoughts on how to deal with the spam problem. Larry Lessig has a response to his proposal, which talks all about how Bill’s proposal is not the same as Larry’s. This is not the basis of my problems with Mr Gate’s messages.

To make matters worse, spam often preys on less sophisticated email users, such as our children, posing a genuine threat to personal security and privacy and threatening the very utility of email as a viable communication tool.

Excuse me? Spam often preys on children? Maybe it’s just because my daughter’s not born yet, but I’ve never seen spam which was targeting children. Seems to generally be advertising porn, or carrying instructions on making money fast, or asking you to come visit lovely Nigeria – all activities which I suspect are much more aimed at adults. Perhaps I just am not getting the “urge your parents to buy the new Spongebob video” spam. Next problem with this sentence: let’s assume Mr Gates is correct and that spam often targets children. How does this pose a genuine threat to personal security or privacy? Child gets spongebob spam. Direct consequence: armed bandits invade your home. Oh no, Spongebob spam -> FBI pulls your library checkout records and publishes them on the internet. Hmm, maybe Spongebob -> videotaped snuff movie which is then posted to the internet, personal security and privacy all in one. Problem number 3 in a single sentence: Spongebob spam to children threatens the very utility of email? Ok, I think Mr Gates has gone off the deep end.

Let’s give him the benefit of the doubt though – let’s say that he was referring to all spam generally as leading to these problems, one of which is getting stuff into the hands of children which their poor sensitive eyes and psyches can’t deal with. Horribly written, but maybe that’s what he means. In that case, it’s still a bit of a stretch. The only sentiment I can agree with is that the utility of email is indeed being compromised by the flood of noise. Reception of spam does not invade privacy though (unless they found your special secret email address, and sending to that is considered a privacy invasion), and doesn’t lead to a personal security problem, unless you are flying to Nigeria to meet friendly Gen. Kaduna and putting your life in his hands…

Off to breakfast now, but will append when I return.

« Older Entries
EnglishFrenchGermanItalianPortugueseRussianSlovenianSpanish