Friday 21 February 2003
Spam
New Spam Tactics Maybe this isn’t all that new a tactic, but I don’t spend all of my time looking at spam, either. Every few weeks I look through the things that my spam filter hasn’t caught, and I try to figure out appropriate rules to ensure that whatever particular tricks the spammers have adopted won’t continue to work. I’ve written before about spammers making strenuous attempts to get around filters. It seems idiotic to me, to go to extra trouble to see to it that your messages get through to people who’ve taken specific steps to not read your message, but then I’m not a spammer, so what do I know? Until recently, the spammers got around people who excluded messages that included words like “fuck” and “viagra” and “cock” and “hardcore” by spelling these things differently or by mixing punctuation or spaces in: “F U C K”, “V.I.A.G.R.A”, “C0CK” (that’s a zero), and “HARDC0RE” (another zero) served them well for a while. It didn’t take too long for people to incorporate this stuff into their filters. A zero surrounded by letters doesn’t normally occur, so a rule to exclude “C0CK” is easy. Strip the punctuation before running the message through the filter, and “V.I.A.G.R.A” is no problem. Assuming that most of your incoming messages are in English, it’s safe to assume that messages containing “F”, “K”, and a lot of other single letter surrounded by whitespace involve someone trying to hide potential red-flag words. The spammers are determined to make money out of this while they can, though, and they’ve now started putting empty HTML tags in their messages, breaking up suspect words. (Warning: I include an excerpt from a sexually-explicit spam below this point. You might not want to read any more if you are of a sqeamish nature.) A spam I got today includes this text:
That’s what you see when you view the message normally. If you look at the HTML source of the message, though, you see this:
All those tag-pairs in there don’t do anything visually; they’re just there to break up certain words so as to make searching for “cocks”, for example, more difficult. However, since nobody actually uses those empty tags in legitimate e-mail — I checked HTML mail generated by AOL and Microsoft Outlook and Outlook Express for this — it’s a simple matter to just look for no-content tag pairs, and, if you find them, to bin the e-mail. Result: the use of empty HTML tags in an attempt to defeat filters actually makes it easier to reliably filter out spam, since only spammers would go out of their way to attempt to get around filters. The spammers and the anti-spam forces are participating in an experiment in evolution that would be fascinating to study in depth. (Unfortunately, spammers do not really publicize their tactics except by mailing out the results to millions of people.) As spam evolves through various attempts to gain exposure, spam-killers evolve to kill the evolved spam. As the killers evolve and become more sophisticated, the evolutionary tactics of the spammers become more and more desperate, to the point where most of these new spam tactics today actually make it easier and easier to reliably detect spam. Eventually, we will arrive at a point where all pracitcal methods of getting spam to slip past filters have been tried and defeated, and the spam wars will be no more. It’s been predicted pretty frequently that war — actual war, the kind with soldiers — would be eliminated by the use of some new technology: gunpowder, airplanes, machine guns, nuclear bombs, etc. that just made war too terrible and costly to contemplate. Every time, these predictions have proven to be false, since of course you don’t have to use nuclear weapons, for instance, to fight a war. Advances in spam-fighting technology, though, are less like nuclear weapons, and more like something you could spray over your cities that would cause explosives of all kinds to magically not explode. The bomb — the spam — is rendered completely ineffective. As the spammers continue to innovate, so will the spam-fighters, until eventually the only unsolicited commercial e-mail that will be able to get through is one that comes from a verifiable source, that’s non-offensive, that doesn’t appear to employ subterfuge to defeat filtering, and that doesn’t offer any of the low-value, low-volume, high-margin products that spam requires — which is to say that no spam will be able to get through. This entry's TrackBack URL::
http://tinotopia.com/cgi-bin/mt3/tinotopia-tb.pl/77 Links to weblogs that reference 'New Spam Tactics' from Tinotopia. Comments
Interesting news story on wired a few days ago: http://www.wired.com/news/infostructure/0,1377,57613,00.html “A significant number of spammers apparently aren’t at all interested in whether anyone buys their wares. Instead, they feed off other spammers in a bizarre cannibalistic pyramid scheme. “Turns out, most spammers make money selling e-mail addresses to other spammers, who then sell those same addresses to others. It’s like the legendary snake eating its own tail.” Posted by: eric at February 22, 2003 03:50 AM As of this week, I have started to get spam with slashes and underscores breaking up dirty words in the subject. The spam filter is still getting them because of the content of the message body, but it’s a new technique. Posted by: Nicole at March 6, 2003 09:27 AM I have been using Spam Bully to control spam for about three months now. I am very pleased with it. One of the nice things is that it is a plug-in to your email client. It can be used with Outlook, Outlook Express. The price is reasonable and it catches about 99% of my spam. http://www.spambully.com Posted by: Moldova at July 2, 2004 12:00 PM |