Catching Spam by Looking at Traffic, Not Content 265
AngryDad writes "HexView has proposed a method to deal with spam without scanning actual message bodies. The method is based solely on traffic analysis. They call it STP (Source Trust Prediction). A server, like a Real-time Spam Black list, collects SMTP session source and destination addresses from participating Mail Transfer Agents (MTAs) and applies statistics to identify spam-like traffic patterns. A credibility score is returned to the MTA, so it can throttle down or drop possibly unwanted traffic. While I find it questionable, the method might be useful when combined with traditional keyword analysis." What do you think? Is this snake oil, or is there something to this?
sounds good to me (Score:5, Insightful)
We can't do this on our personal or company internet connections because we only see individual messages coming from many different IPs, but on the other end of the connection, or even at the backbone level, this strikes me as a pretty solid solution. They could even just tag the packets with the evil bit [faqs.org] and let us decide if we want to filter them or not.
unlikely indicators (Score:5, Insightful)
I think the question raises an interesting point: spams *behave* differently on the network than most legitimate emails. It may not be a perfect discriminator, but it sure might be a corroborative scoring aid. This reminded me of the controversy when Slashdot started using text compressibility as a metric for "lameness." I was a disbeliever, and still have my reservations about it, but as a part of the overall toolbox for filtering lameness, the technique seems to have value.
greylisting works (Score:2, Insightful)
OpenBSD's greylisting [openbsd.org] in spamd works wonders.
The problem with this (Score:5, Insightful)
Re:This is painfully obvious and hopelessly naive (Score:2, Insightful)
People will stop buying from spam when they stop forwarding every hoax or urban legend they recieve through their company e-mail to everybody else on their address book.
When someone finds a way to do it, please ping me.
Re:This is painfully obvious and hopelessly naive (Score:5, Insightful)
Yes and no - but a suggestion... (Score:3, Insightful)
OTOH, As part of a larger array of spam-fighting tools, okay - there's bits in there I actually like and which can be used as part of other solutions, if not used in the way suggested. As someone who runs a couple of MTA's on top of everything else I do around here, I always like to find new and interesting ways of stopping spam.
N.B., all that I ask is this: Please make it useful w/o sucking down resources or requisitioning another server. I detest external RBL's - please don't suggest anything that may have an overly-subjective and/or an overly-dependant basis like that. If it isn't RFC-compliant (yes, Verizon, I'm talking to YOU when I say that!), I won't go near it.
Satisfy those, and yes, I'm interested, as would lots of other SMTP-monkeys out here.
What about SenderBase? (Score:4, Insightful)
This isn't a new concept. Our mail gateways already participate in something like this with IronPort's [ironport.com] SenderBase [senderbase.org] reputation filtering. 90%+ of our incoming mail traffic is dropped based on poor reputations scores without looking at anything more than the sender's address. So far, we've never had a false-positive that we know of, and only once, after many customers were made a part of a bot-net and started spamming, did SenderBase throttle traffic to one of the local ISP's. A quick call to their mail admins pointing out the problem and they were able to block those customers from sending mail until they were cleaned up and the reputation score climbed back up again.
It has really taken the load off our mail servers by blocking millions of connections. The rest, we run through SpamAssassin and everything works great!Re:This is painfully obvious and hopelessly naive (Score:4, Insightful)
Its similar to a pretty interesting conceptual innovation in medicine, when people realized that even excellent doctors will at some point make grossly negligent mistakes simply due to the shear amount of work they do (i.e. operating on people with paralytics but not analgesics). So the innovation is to make them make fewer decisions - machines that check settings before running, labels that a four year old could understand, arrows and other reminders liberally applied.
So similarly here, yes it's annoying that people continue to "fund" spammers, but education is not the answer. Because, unfortunately, the spammer's target market of "everyone in the world" will always contain enough people to make their trade profitable if all we rely on is good decision making on the parts of spam recipients. So the solution has to be technical or legal. And in that regard, another small step for man here.
Re:sounds good to me (Score:2, Insightful)
For those keeping track at home (Score:1, Insightful)
ISP traffic analysis blocking torrents = bad
Re:And yet likely... (Score:4, Insightful)
because any email that from the 'Democratic People's Republic of $Country' is likely to be as bogus as the countries name. If a country needs to add 'Democratic' or 'Republic' to its name, you know something's wrong
Even if no one ever responds, it won't stop (Score:5, Insightful)
Even if no one ever responds, it won't stop as long as the people paying to have it sent think it works. It's like burning candles to St. Balderdash for scam marketing morons. As long as there is a steady supply of rubes who think that sending spam is their road to riches, and are willing to pay some brighter but no more honest spam lord to send their dreck to a bazillion hapless victims for them, spam will contine to flow.
This is true even if no one ever responds to, falls for, or even opens a spam message ever again.
--MarkusQ
Places you don't want to be (Score:3, Insightful)
Central African Republic- Less than half the genocide of its neighbor in the congo.
Dominican and Czech Republics, and Macedonia- actual democracies.
So two of your five examples help prove my point- and when you start stacking adjectives together- like 'People's Democratic Republic of Korea' you know you've got one of the worst places to live on Earth.
Also, why on earth would you get an 'official government email' from someone in these countries? That's less likely than you being a Viagra dealer and have Viagra mentioned correctly in your email. That's also why different people will have different spam filters for their mail- if I worked with the Republic of Ireland or was a professor of Greek history I would probably see the word 'Republic' in legitimate email.
Re:sounds good to me (Score:5, Insightful)
Actually, webmail can do one better: if a message is marked as spam at some point in time, the system can retroactively remove it from the Inboxes of the 'first few thousand unlucky recipients' (or mark it 'this may be spam', gray it out, etc., at the least). I don't know of anyone doing this, but I wish they would.
Won't really work (Score:2, Insightful)
Re:This is painfully obvious and hopelessly naive (Score:3, Insightful)
Why can't people stop responding to spam in the first place? [...] If spammers made absolutely zero dollars for their efforts would they stop?
First off, if people stopped responding to spam, it wouldn't have any effect on phishing spam, since phishing is based on tricking the user into thinking it's legitimate mail rather than spam. Also, once you have control over an army of zombies, the incremental cost of sending one spam is zero. Even if the spammer thinks he's unlikely to make any money at all by sending out spam, he's already set up to do it, so why not? If even one person in ten million clicks on a spam accidentally because his cat walked across his desk, that makes it worth it to the spammer to have sent out the other 9,999,999 spams. Look at all the bayes-poisoning spams we get, with no link to click on; the spammers know they aren't going to profit from those, but they send them anyway, because it's free. And finally, there are a lot of other things you can do with a network of zombies. For instance, you can carry out extortion schemes by threatening DDOS attacks. The basic problems are (1) poor security of Windows, and (2) the fact that the e-mail protocols were designed before the internet existed, in an era when you knew everybody who was on your network.
Re:For those keeping track at home (Score:2, Insightful)
spam = bad
torrents != bad
Anyway, you're comparing apples to socket wrenches... Torrent is a file transfer protocol which can be used legitimately. Spam is a specific abuse of the various e-mail protocols, and by definition cannot have any legitimate use. For your comparison to make sense, it would either have to be between using torrent to distribute virii and spam, or between torrent and SMTP/etc. traffic.
Re:Obligatory (Score:1, Insightful)
The best and worst places to be (Score:3, Insightful)
Re:This is painfully obvious and hopelessly naive (Score:4, Insightful)
Generally there's nothing to 'reply to' - To order the viagra you've got to go to a web site, or fax in an order - and all the latest 'pump and dump' stock-selling emails don't sell anything at all. They buy some stock, spam out their messages, then dump the stock when the price goes up. Often the company in question knows nothing about it.
Want to get rid of Spam? (Score:3, Insightful)
Send a URL in your text-only email if you want to check the email out in HTML...
Just a thought
Re:sounds good to me (Score:3, Insightful)
Re:sounds good to me (Score:3, Insightful)
Then he asks to get port 25 unblocked. Or he's serious enough about his hobby mailing list to drop 8 quid a month for a dreamhost account (which isn't itself spam-free, but you know at least DH's nets aren't full of zombies). Or he switches to a web feed. There are solutions, but giving random strangers the benefit of the doubt isn't one of them.
If SPF and Domainkeys ever got any traction, then Challenge-Response would be somewhat workable
Re:Its not snake oil, but... (Score:3, Insightful)
Re:This is painfully obvious and hopelessly naive (Score:2, Insightful)
In the same way legitimate businesses will pay marketing companies to run advertising campaigns, design, send and manage email distribution lists, etc, less legitimate 'businesses' pay spammers to send out their message to as many people as possible.
So yes, they do get paid - just not by the victims of the spam.