Along the way to writing my inventory of solutions,
I wrote up an inventory of problems. I see these as
the antecedents of the solutions, and also a useful
checklist anticipating the counter-counter-measures
of the spammers.
Evading accountability
- forging envelope sender
- forging From header
Exploitation of weak systems
- exploit open smtp relay
- exploit insecure web services (cgi formmail)
- exploit open proxies (HTTP CONNECT, HTTP)
Aggressive database generation
- directory harvesting (web, LDAP)
- name guessing & probing
- name guessing without probing [selling bogus data to others]
- inappropriate database sharing/selling
Inadequate opt-in
- no actual opt-in
- deceptive opt-in
- single opt-in without confirmation
Inadequate opt-out
- opt-out not implemented
- opt-out ineffective (pro forma removal from one list not all)
- opt-out untimely
- opt-out difficult to execute
- opt-out hostile (used only for address verification & enrollment in
even more databases)
Evasion of automated filters
- content randomization
- eyespace transformation
- misspelling
- punctuation and spacing
- substitution of visually similar characters
- html coding tricks
- slice&dice tables
- javascript-generated content
- font size/color/background
- mime multipart encoding
- inclusion of non-spam chaff (visible or invisible)
- content in images, not text
- content in other external links
Evasion of human caution
- fake DSN
- fake content resembling common cgi-to-mail
- "returned your call", "your account has a credit", etc
Not a real business
- spam as chain letter/pyramid, selling software and bogus data to the
naive
- spam as DoS attack, no real solicitation in content
False claims
- false claims regarding opt-in
Fraud & Crime
- Nigerian 419
- eBay password/credit card theft
- payPal password/credit card theft
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg