ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Textbook example

2003-06-24 12:25:39
from [Kurt Magnusson] [Permanent Link] 
Yakov Shafranovich wrote:

At 6/24/2003, gep2(_at_)terabites(_dot_)com wrote:
Here's sorta a good textbook example of relatively common spammer tricks. Let's consider it: 
chanty MycXY42jUmagernJQbgbHxg%3D%3D unselfishly o-eVm
{a href="http://hgabriela(_at_)210(_dot_)15(_dot_)187(_dot_)49/dtomi/";>

....
Out of the twenty spam messages I received this morning at one specific account, two were text based and not HTML as follows: 
..................

Return-Path: <montykambo(_at_)mail(_dot_)com>
From: "Monty Kambo" <montykambo(_at_)mail(_dot_)com>
To: xfiles(_at_)pocketmail(_dot_)com
Every extensi0n you want to register or renew is available here and it is che(_at_)p(_dot_) 

Most popular: .net .info .tv
Just released: .club .travel .sport

Over 100,000 names registered so far.

http://www.domainsforpeople.com

..................

Well, look at the two textbook examples from another
perspective, for they both tell us something else,
the end destination for the spammer, his/her domain.

This is real information, not fake (if it isn't a spammers
version of a DDoS). Skip the rest and use this. URL's need
to be correct to work, independent if a HTML or a ASCII
message. Some web coding of the address is common, but
normally simple to decode when analyzing the incoming,
but if there does not say "http:" it would not work.
It is a bit worse with base64, yes.

Anyway, with a limited number of spammers and most likely
a limited number of domains this is useful. Vernon's list
the other day had more in common with my own list, than
should be expected, since he had far more web-shops in
his list, while I have more web-sites and 50% from Asia.
Of some 7-8000 entries in both lists, 2.500 where common.
If there is a "infinite" number of spammer domains, it
should have been less.

Unfortunately the HTML discussion above as such is redundant.
Most of us sits in a world where we have to service others
with a mail service, for better or for worse. When doing that
we have to remember some simple things:

1. The users want a simple-to-use service

2. They have a reason for using email instead of mail

3. Mail they don't want is always spam, even if we
  don't think so

4. Mail we label spam, is not always spam in their
  eyes

5. What we thing is appropriate as a mail format does
  not have any bearing what so ever on these users
  They want to do tables, they want to do bold and
  (how horrible it may be) they want to use Outlook
  b'cause Oncle Bill included it for automatic install
  in Windows. I.e. they want a function without thinking
  even if it is at a risk for their PC

6. They do not want to change their e-mail address

7. They want to reach their mail when on holiday or
  at work (a webmail interface)

8. They do not want to see any strange mails that require
  them to answer a question or so to communicate with
  rich Auntie Agatha.

In short, they want us to cut spam automatically, so they
do not need to bother. And we can't change this.

On the other hand, spammers (I exclude the DDoS types)
want to:

a. send us ads/web pages that get us to visit a web site
  with a sales pitch

b. to call a phone number to talk with a sales person

so they get the traffic and earn money from it.

What we think about spam is irrelevant, it is what our
customers and the spammers think that is important.

If we avoid this focus, we are never to be able to get
anywhere. I seem to remember that the charter says
something about to create a common "ground" before
"solving" the issue.

Well, where is this common ground, mostly I see complicated
solutions, requiring a lot of either client or MTA changes,
but little common ground. Look at the above, we
canl never fulfill every users expectation, but we need
to find some simple common principles about spam, that
is OK for everybody (excluding the spammers), what is
usable to handle the issue at hand.

The basic definition must therefore be: "Spam is a form
of electronic marketing, where the receiver not asked
to receive it and also stands for the main part of
the transmission cost".

This accounts both for the guy not wanting spam, as
well as the "Shopping Channel"-guy, loving spam. They
have not asked for it and they do pay for the main
part of the cost, through their connection cost or ISP
charges. Going to a web page with ads, we do a active
action for. With spam we don't (except for sometime
have had released our address in a Usenet discussion, a
web page or registration at some function for free)

The second definition must be: "Spam is electronic
marketing, where the sender generally uses a
non-functional sender address as well as sometimes
including non-functional information how to end
sending". Really, opt-out is a joke. It didn't even
worked during Spamford's days.

The third definition is: "Spam is a sociological
phenomena, not a technological". Spam uses technology,
but this is only a mean, not the objective. It also
makes it harder to beat. Virus is simpler, since they
are the objective, even if they also is a sociological
phenomena.  Spam want _us_ to _do_ something.

The fourth definition, is what I wrote in the start:
"Spam do contain some information we can trust, as
a web address or phone numbers".

What can we get from this crap?

Well, the spammer want something in return from _us_,
for sending us that letter, that we go in to his/her
website / call the Call Center to purchase a product.

But the spammer is two entities, the owner of the
product and the sender (sometimes the same person).

If the spammer is the sender, he/she want to get paid
for every lead, his/her customer get from the action.

If the spammer is this customer, he/she want to have as
many leads as possible, because that increases the number
of sold products. If the seller don't get any leads,
the sender doesn't get any assignments, eg. we lose a
spammer.

The best way to cut the number of leads a seller gets, is
to take out the usage of the website address, i.e. a
website in a spam is included in the blocklist -> reduction
of leads, since no-one sees the address. If the seller change
address to get around, honeytraps collect it and include
it againg in the blocklist. Skip sender addresses and such,
concentrate on stabile content.

To use the problem's sociological features, as a base of
handling it, must be a better way than raw technology.

But those not having addresses/numbers, as Nigerians?

I just got such a letter, that succeeded to pass my filter,
it did have a phone number in it. Nigerians also rely on
two-way communication, they can't change mail address in
the middle of the communication with the target, therefore
their addresses usually is very functional for a longer
time. That nigerian was the first I got to my test
mailbox for 3 months, though some 10-15 ended up in the
spambox and those was taken on their sender domains,
collected before february.

And if done correctly, a likely solution should also required
low infrastructure impact, if run as a Milter type of filter,
as an added benefit.

Kurt Magnusson

(Leads is what the marketing whizzes calls when they get
a confirmed contact with a potential customer.)

_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail 


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Asrg] News Article - Editorial on spam by Bill Gates, Hallam-Baker, Phillip
Next by Date:  Re: [Asrg] Proposal: Separate ISP(s) for "guaranteed delivery" of email, Walter Dnes
Previous by Thread:  Re: [Asrg] Textbook example, Yakov Shafranovich
Next by Thread:  [Asrg] Spammer reaction to countermeasures, gep2
Indexes:  [Date] [Thread] [Top] [All Lists]