Spammers have turned a widely-used anti-spam trick - fuzzy text that computers cannot recognise - to their own advantage, according to the head of an anti-spam software developer. The distorted text images are arriving in PDF files touting German penny stocks, in yet another iteration of the pump-and-dump scam that's been …
Working for the spammers
Now that the technology has been developed to read distorted text, it's only a matter of time before the spammers get their mitts on it, and the "security" of distortion is thrown by the wayside.
The spammers are using techniques that legimate sites use to keep them out to force anti-spammers to develope a solution for the spammers to use.
As a former PlusNet subscriber...
I look forward to receiving a few hundred of these by Monday.
In the mean time
I've found greylisting to be highly effective in stopping spam. I'm sure I'm not the only one. So long as spammers concentrate on finding more ways obfuscate text and less on fixing SMTP implementations in spam distribution software, greylisting will continue to be a very handy tool.
No big deal
Although it's defintely worth mentioning, as it does impact managed anti-spam services pretty badly, as far as the average geeky user is concerned, that's not a big deal. The number of times I receive a mail from a valid sender with a PDF/GIF attached is probably counted on the fingers of both hands, per year !
Thus thunderbird has learnt the trick after 3-4 times of that crap ...
Looking forward to the next spammer trick ...
Missing the point?
I can barely be bothered to read distorted text in captchas; why the hell do they think anybody is going to bother when it's just stock spam?
Spammers only spam because they make money from it.
Once all the retards have no money left to buy penny stocks/drugs the spammers will go out of business.
It's just another form of Darwinism.
As text gives way to images...
...so the volume of spam takes another ten-fold increase and the amount of legitimate internet traffic drops from 30% (or whatever it is today) to about 3%. Still, it will give us something to do put into all that dark fibre we've just spent squillions of pounds deploying.
PDFs have hashes....
SPAMMERS will need to be careful how widely they propagate their PDFs. Each PDF document will have a unique fingerprint (hash) and thus SPAM filters can be setup to detect SPAM. Or is there something I am not considering?
I've been getting load of these. I assumed there was a PDF exploit....
It's a safe bet that since spammers are distorting text, they are creating enough unique pdfs that identification through hashes becomes impractical. The good' ol' : Message->Distort->Send to x, where x is a small positive integer.
It's irrelevant here
We block the ISP sending the spam (or a /24 if it's a huge ISP), so spammers have to keep infesting more zombies. The same ISPs - a group of about a dozen - are responsible for 99% of the spam not coming from Asia. Of course, Asian IP space is block-on-sight.
privacy = spam
One minute people are moaning about how important their privacy is and how its absolutely terrible that the likes of Google keep your search queries and IP addresses for 18 months (oh the horror)... or more to the point having to identify yourself before getting an e-mail account...
Next minute people are moaning about how much spam they're getting because of all these tricks the spammers can use to abuse a frankly, flimsy system, easily susceptible to anonymity... or the fact terrorists are plotting their next attack over the Internet....
You can't have your cake and eat it. The fact is, e-mail was never designed for the kind of usage it is getting these days and if something more secure were ever to replace it well, there'd have to be more accountability.
The solution is very simple
One could just simply check what percentage of the words in a PDF ( or e-mail message, for that matter) are misspelled and assign a spam score to the message based on that. Of course, this process can be fairly time consuming, but then again, it will take less time than doing it by hand.
So, take that distortion!
Re: PDF spam
"I've been getting load of these. I assumed there was a PDF exploit...."
That's still a safe assumption to make. My spam filters to a good job recognizing the characteristics of the sender.
The first time I saw one of those, I thought the same thing.
The original email system
was intended to be used amongst trusted computers. If we want a trusted network, all we need to do is make a trusted server network by hand. By enforcing email server registration, one can be sure that no company would allow spam traffic through it's servers. The server registration can be done the same way as the dns registration, by requiring certain accountability data from all organisations in exchange for their mx record. Mail that comes from a chain that has a server with a missing reverse mx record is almost always spam. (people send and receive files through their service provider or company mail server, they don't directly send from their own computer) This tackes zombie machines.
The other problems are hacked mail servers, which is more trouble than worth for spammers and hacked or fake user accounts that can be filtered, because the sender and the reply address should match and it's not easy to maintain serveral thousand fake email accounts so spammers tend to change the reply address.
The third form of defense could be a central user reported spam database, so if enough users report the same message as spam, a central database could mark the provider or mail account as a spam source. This list can be checked against before accepting a new mail. This database can be abused so care must be taken to avoid false positives and in most cases the first two checks should be enough.
The last solution would be to attack those who use spam for their business, so instead of finding the spammers one can always find some form of contact address otherwise the spammers could not get their money.
The four solutions above would leave only non money oriented spammers operating with hacked servers or accounts in business. For most of them, this wouldn't worth the trouble.
Easier to filter
Spammers are making things easier to filter. I rarely receive PDFs and can now filter messages based on attachments.
Survival of the fittest.
Simple fact of the matter is that nothing we do to limit the spammers will stop them. At least on the technical side of things anyway. The only way to defeat spammers and malware authors is to require that all internet users are educated in the basics of IT security before they are allowed to go online.
A lot of the people who read the Reg are very talented IT experts but most peeps out in the real world know nothing about how computers work or filtering systems etc. They want point and click computing. Like they get with the TV turn it on and what you want happens. These people are the weak link, the dumb users the targets.
Remove the dumb user from the equation and the spammer has no target. Educating users in basic safety and security is the only way to do this. Anyone without this basic common sense knowledge should not be allowed to have an internet connection, until they have been taught it.
This would not mean going back to school or anything like it. Just some simple guidance from the ISP's when they install the service for the user. Back that up with a decent user support line to provide both technical help and basic tutoring in IT security to our less technical members of the community and there you have it.
Show people how to defend themselves before they come under attack rather than expecting them to know how to do it or where to look for the info themselves.
Simple idea really but until it is made an industry wide standard then we will always have the poor dumb user and the spammer.
Been getting them for a while...
And except for the first 2 or 3 all are now sent direct to the spam dir thanks to dspam. I also tell everyone to not send me attachments and such and to use plaintext. So anything that differs from that I can more or less consider spam...
We don't need to solve their problem for them
Finding a fix for this doesn't mean writing software to break captchas. They need to be able to accurately read captchas and return the original text. Spam filters only need to recognise that distorted text is the main content of an attached PDF to get really good results.
Captchas are already being defeated
Many styles and types of captcha are already broken and machine readable with high accuracy rates.
Some still evade easy machine interpretation and new ones are introduced from time to time by big commercial operations (eg for MSN/Passport, Yahoo etc)
Morely Dotes, you pillock
"Of course, Asian IP space is block-on-sight." ... thanks a bloody bunch. I just hope that any email I send to one of your mail servers is way more important to you than it is to me.
Scott, in Bangkok
Good Idea Geoff.
If it's readable and spam then it's spam. If it's distorted then it's spam too.
To Andrew Crystall
"... and in the mean time badly configured greylisting software - something like 60% of the time I encounter it - is dropping legitimate mail from legitimate senders because it's spam."
In that case you are almost certinly not running a properly setup mail server - it actually takes effort to set up greylisting to drop legitimate mail (or rather mail from compliant senders). But look on the positive side, at least with greylisting you should know that your message didn't get through (unless, again your own systems are broken) instead of it having been silently thrown away by spam filters !
I use a whitelist
The vast amount of mail I get is first filtered on whitelist - anything not approved is thrown into a temp file. When I'm interested, I go through my temp file and filter on blacklist - anything from domains, countries and subjects that I do not approve of is deleted (and yes, Bangkok is on the list since none of my friends or acquaintances will ever write from there).
Whatever is left is usually spam, allowing me to refine my filter, or it is a message from some outfit I have not yet filtered, allowing me to choose whether to whitelist it, blacklist it, or ignore it.
PDF spam ? Pah ! If it's in the temp box, it can only be crud. All attachments are destroyed without even hesitating.
"I just hope that any email I send to one of your mail servers is way more important to you than it is to me."
Why's he a pillock? He's decided not to receive mail from Asian IP ranges in the mailboxes he administers - so what? That's his decision - he has to live with it.
His server, his rules...
That's all well and good, and if it's only mail being sent to him then no problem. But there are people like him working at larger companies whose job it is to provide an email service (incoming and outgoing).
For example, I cannot use my company's mail servers (which I set up myself) to send email to any AOL users because of recent changes in AOL's policy. People like the aforementioned pillock had decided that email from a mail server from my ISP's IP address range cannot send mail to AOL's mail servers.
All well and good, you might think - I simply switched to forwarding all outgoing mail through my ISP's own mail server, and that worked for a while. But then AOL changed policy again to block all email that was *originally sourced* from my ISP's address range, regardless of which server sent it to AOL.
So that's it - there is no way I can send email to AOL, and if any of our customers use AOL (again - something way beyond my control), our company cannot send email to them, unless we use Hotmail or something. There's an irony in there, thinking about it.
"But there are people like him working at larger companies whose job it is to provide an email service (incoming and outgoing)."
True, but I'd argue that part of providing that service - presumably a large part of a mail admin's job - is deciding what to allow into the networks that they administer. It's their choice, or it's the policy of the company where they work - either way if they choose not to accept mail from certain IP ranges, or which contains the word "aardvark", or on Tuesdays, then that's up to them. Of course if this means that they lose some mail they might otherwise have wanted, then they only have themselves to blame :-)
Once an admin has made that decision, and you find yourself on the wrong side of it, then your options are either send in a manner that they do accept, or ask them to poke a hole in whichever rule you're falling foul of, or live with it. My point was that taking that decision in the first place doesn't necessarily make the admin a pillock :-)