Defeating spamfilters through obsession

[The harasser] was hitting me on email and twitter for more than [2100 messages], and the thing was, those all got past the filters I’ve got in place. So one obsessed crazy man with minimal technical skill and nothing but persistence outperforms all the spambots out there, at least on the scale of individuals, if not in breadth of attack.
PZ Meyers

Dr. Meyers goes on to suggest that spammers could defeat filters just by hiring a bunch of people who would manage an ongoing campaign of identical but not quite emails.
Spammers have beat him by at least a decade. In fact, much of the Nigerian 419 spam and associated scams are hand written and sent out by people paid pennies an email to send them.
Where everything falls apart, though, is getting a response. The harasser didn’t need a response from the people he was harassing. So he could go through dozens and dozens of email addresses and twitter accounts a day. Spammers are usually attempting to collect money from people, and they need to have some sort of way for their targets to provide that money.
In fact, a group of researchers looked at credit card processing as a way to stop spam.

95 percent of the credit card transactions for the spam-advertised drugs and herbal remedies they bought were handled by just three financial companies — one based in Azerbaijan, one in Denmark and one in Nevis, in the West Indies.

(Report PDF)
It was taken as truth back when I was handling abuse@ that if we could stop people from buying from spam, that we could stop the spam problem in its tracks. That failed for multiple reasons. First, it’s impossible to stop people from being manipulated and taken advantage of by scammers. Second, spammers have figured out how to make money in many more ways than getting people to give it to them. Now, a lot of spam is not advertising real products or services. It’s closer to theft or fraud.

Blocklist changes
Uptick in botnet spam

Related Posts

First spam to Epsilon leaked address

This morning I received the first two spams to the address of mine that was compromised during the Epsilon compromise back in April. Actually, I received two of them. One was the “standard” Adobe phish email. The other was similar but referenced Limewire instead of Adobe.

Read More

SpamZa: corrupting opt-in lists, one list at a time

A number of ESPs have been tracking problematic signups over the last few days. These signups appear to be coming from an abusive service called SpamZa.
SpamZa allows anyone to sign up any address on their website, or they did before they were unceremoniously shut down by their webhost earlier this week, and then submits that address to hundreds of opt-in lists. This is a website designed to harass innocent recipients using open mailing lists as the harassment vehicle.
Geektech tested the signup and received almost a hundred emails 10 minutes after signing up.
SpamZa was hosted on GoDaddy, but were shut down early this week. SpamZa appears to be looking for new webhosting, based on the information they have posted on their website. 
What does this mean for senders?
It means that senders are at greater risk for bad signups than ever before. If you are targeted by SpamZa, you will have addresses on your list that do not want your mail. Some of those addresses could be turned into spam traps.

Read More

Are you sure? Part 2

There was a bit of discussion about yesterday’s blog post over on my G+ circles. One person was telling me that “did you forget you opted-in?” was a perfectly valid question. He also commented he’s had the same address for 20 years and that he does, sometimes forget he opted in to mail years ago.
As an anti-spammer with the idea that it’s all about consent, I can see his point. Anti-spammers, for years, have chanted the mantra: “it’s about consent, not content.” Which is a short, pithy way to say they don’t care what you send people, as long as the recipients themselves have asked for it.
This is the perfect bumper sticker policy. As with most bumper sticker policies, though, it’s too short to deal with the messy realities.
I’m not knocking consent. Consent is great. Every bulk mailer should only be sending mail to people who have asked or agreed to receive that mail.
But if your focus is on delivery and getting mail to the recipient’s inbox and getting the recipient to react to that mail then you can’t just fall back on consent. You have to send them mail that they expect. You have to send them mail that they like. You have to send them mail they will open, read and interact with.
If your permission based recipients are saying they forgot that they signed up for mail, that is a sign that the sender’s program is futile. These are people who, at one point or another, actually asked to receive mail from a sender, and then the mail they receive is so unremarkable that they totally forget about the sender.
Maybe that’s another reason the question “are you sure you didn’t forget you opted in” from clients bothers me so much. If I signed up and forgot that points to problems in your program, mostly that it’s totally unremarkable and your subscribers can forget.

Read More