Catching Spam by Looking at Traffic, Not Content 265
AngryDad writes "HexView has proposed a method to deal with spam without scanning actual message bodies. The method is based solely on traffic analysis. They call it STP (Source Trust Prediction). A server, like a Real-time Spam Black list, collects SMTP session source and destination addresses from participating Mail Transfer Agents (MTAs) and applies statistics to identify spam-like traffic patterns. A credibility score is returned to the MTA, so it can throttle down or drop possibly unwanted traffic. While I find it questionable, the method might be useful when combined with traditional keyword analysis." What do you think? Is this snake oil, or is there something to this?
This is painfully obvious and hopelessly naive but (Score:4, Interesting)
Re:Greylisting (Score:1, Interesting)
The proposed method looks at traffic patterns to find and block spammy MTAs. It does not rely on bugs in the MTAs.
Re:This is painfully obvious and hopelessly naive (Score:4, Interesting)
Re:sounds good to me (Score:5, Interesting)
A combination of policyd, postfix, spamassain and ids/bandwidth accounting software has turned it into something manageable, at least where I work. Customers are allowed say, 100 e-mails in a 30 minute time span. If they complain and have a real reason, we can adjust. This also makes finding users with pwned machines a lot easier.
Some of them now (the spam zombies) seem to be moderating their outgoing connections so that it's not so obvious but their volume is still substantial. It just never ends...
Its not snake oil, but... (Score:5, Interesting)
effective in the long term. Getting around this type of filter (or delay) seems relatively simple
compared to the task of defeating the bayesian filters over the past couple years.
The lynchpin of greylisting is that legitimate mail will "try again" after being returned by the
server, while spam will not. The conclusion (which we hope is true) is that any mail that is
not re-sent was in fact spam. Never mind the danger that the assumption could be false and
legitimate mail gets lost -- how long will it be before spammers simply "re try" their spam --
or worse -- just send everything twice?
As with any attempt to modify behavior electronically -- behavior usually wins.
I am curious... (Score:3, Interesting)
Cheers.
this and other effective weapons (Score:5, Interesting)
I work for a small email company we process millions of emails an hour inbound, but only a few million a day outbound.
Our most effective filters are:
connect/HELO restrictions: you can only get email into the environment if your IP address resolves to a FQDN.
HELO restrictions: if you connect using X different HELO strings, you are blacklisted. Spambots often randomize the helos, this blocks those.
Spamassassin at the client side, filtering email into various folders based on the score.
antivirus server that filters the few viruses that make it in, and phishing is filtered too.
The problem? All this doesn't catch enough of the spam. We still have loads of CPU dedicated to filtering spam, but something like this technique at the border will help, and I'll predict (based on experience watching the traffic and spam filtering graphs) that we could cut spam another 30% just by watching the curves and tightening the restrictions during those peaks.
Has been done for a long time. (Score:5, Interesting)
My (previous) ISP did this several years ago. I found out when I was making a computer for a friend. At the time (this was a few years ago) I didn't yet know just how quickly an unprotected windows-box is owned by viruses. I thought I'd be okay for the time it takes to download a firewall. 20 seconds later I got a popup that I recognized as an infection, so I shut down the machine, and tried to get the firewall / AV-software with my other machine instead - only to be greeted by a screen where my ISP informs me that "By the look of your outgoing traffic, it would seem that your machine has been turned into a spam-bot by a virus, and your account will be automatically unblocked 1 hour after the suspicious traffic stops." This was followed by some generic instructions for virus removal.
Re:This is painfully obvious and hopelessly naive (Score:4, Interesting)
The spam-sending organization then shows them that they need to revise their message with a better subject line so more people opened the email. Another $1000 and more spam is sent, this time 0.7% of the people open the email.
Continue this until the advertiser runs out of money. If you have enough contracts for sending spam it matters not a whit if anyone buys the stuff at all. It is only important that people pay for it to be sent.
The only real solution to spam. (Score:3, Interesting)
Follow the money and stop the source (Score:2, Interesting)
Won't work. (Score:3, Interesting)
Won't work. It just means the owners of zombie PCs get big bills.
Re:Problem (Score:3, Interesting)
The company I work for contracts with advertisers to send out bulk mailings to our opted-in users.
And did they opt in by specifically requesting your mail, or implicitly as part of some other transaction? If it's the latter, you're a spammer. Die.
If people really want your content, offer an RSS feed. If nobody subscribes to your feed, they didn't want your content.
Re:Obligatory (Score:3, Interesting)
This form is for ideas that have been thought of before and have been discredited, but I'm not convinced yet that this idea wouldn't work. Here are the biggest objections you raised:
How? The method specifically mentions whitelisting, and only mailing lists or other "legitimate uses" (can't think of any myself) that involve thousands of recipients would be noticed by the proposed algorithm.
All the usual anti-DOS strategies would work perfectly well here. The same statistics used to identify patterns can identify junk data sent by spammers to confuse the system. The closest thing to a "brute force attack" that would work would be for a spammer to use a bigger botnet and have each node send messages at a rate low enough to not be noticed. That's a significant victory for the rest of us.
What other methods counter this approach, and what stops people from dropping it if/when it stops working? (Note that the article discusses four attacks, two of which count as a win for the good guys and two of which have viable counterattacks.)
You don't have to trust them any more than you trust any other anti-spam service that provides data to your filtering algorithm.
I don't claim that this method is good, but that the objections raised so far have not been very convincing.
Re:sounds good to me (Score:2, Interesting)
Re:Won't work. (Score:3, Interesting)
That's not a bug, it's a feature.
Right now, the costs caused by Windows insecurity are passed on to me even though I don't run Windows. Passing those costs on to the people causing them would be much fairer.
Re:this and other effective weapons (Score:3, Interesting)
The problem is that it is still filtering (Score:3, Interesting)
free, yet their router retains the default username and admin password. Spammers have programs that allow people to try to log in to these routers and use their embedded telnet commands to send spam without the knowledge of the computer owner or any program residing on their computer. The point is that the Internet can be compared more to "swiss cheese" rather than the "series of tubes" that the politicians use. There are many, many points of attack for spammers to use.
Filtering spam is much akin to a person who holds hands in front of his or her face while a bully is pummeling him or her. The person is likely to fend off blows from the bully, but some of the blows will get through. Once a spam is sent, even if properly filtered, the damage has already been done. Until very recently, all I had in my area was dialup. My program successfully filtered about 99% of the spam received, however I still had to wait about 30 minutes before I was able to view my legitimate mail. I lost 30 minutes of time that I could have been working on a client's problem, while the spammer lost nothing. I also lost a client because a program that I previous used labeled his email he sent me as spam. Again the spammer who spammed me lost nothing. Spammers are like bullies, they will not stop until people HIT BACK!
It is only when spammers have to deal with the large amount of bandwith used, the processing power to handle complaints, and the loss of sales that result from efforts to filter complaints will spam be much less profitable. The idea is to punch back and deter the bully. Sending complaints to the spammers' websites get them at their weak point - the place where they make contact with potential buyers. Several program have attempted to hit back, and 2 of them were very successful in doing so. However, like spammers, these programs had a weak point, and that point was the fact that they needed a central server in order to instruct each individual program. Now things are different. There are several projects currently underway to trade complaint instruction files via peer to peer networks. What this means is that there is no central server which spammers can attack in order to silence complaints to their websites. One such project is called SpammerSkewer, and it is an open source GPL program that is in alpha. The program can be found at http://spammerskewer.sourceforge.net/ [sourceforge.net]
It is also important to note that these new programs are not distributed denial of service programs. As for SpammerSkewer, it only receives instructions on how to complain. It does not initiate complaints. Only a user can initiate a complaint by either bringing up the complaint interface or by dragging an email into SpammerSkewer's spam directory. It is the Spammer who determines how many complaints are submitted to their websites. SpammerSkewer's author even provides a way for spammers to "opt out" from receiving complaints if they insert a header clearly labeling their email as spam. Another way they can opt out is by not sending spam in the first place. In a distributed denial of service attack, a person other than the one who controls a victim's website is the one that controls how many visits a site receives. With SpammerSkewer, it is the Spammer who sends out the spam that determines how many visits a site advertised via spam gets. The only sites that are put in SPammerSkewer's instruction files are those well known to be advertised via spam. Instruction files are also cryptographically signed in order to prevent tampering. I