OT: e-mail and posted gobeldygook

What is the nonsensical paragraphs of disassociated words delivered with some spam and seen on some posts? I know, you will say the body of MY posts are nonsensical. Not important, just curious.

Reply to
Tom Gardner
Loading thread data ...

The addition of seemingly nonsensical words is aimed at confusing the antispam filters that incorporate Bayesian analysis techniques, such as SpamBayes and SpamAssassin. These filters examine incoming e-mail messages and calculate the probability of it being spam based on each message's contents.

But unlike simple content filters that simply troll text looking for specific words like Nigeria, money and opt, Bayesian spam filters evolve according to each user's needs, analyzing all mail to determine what words and phrases are apt to appear in a user's legitimate e-mail and which are not. This process is called training, and results in a highly personalized and efficient filtering system.

By throwing a hundred or so random words rarely used in sales spiels into each e-mail missive, spammers hope to thwart Bayesian filters by making the spam appear to be personal correspondence. Incorporating words that might be used in legitimate e-mails is also intended to poison the checklist the filter uses, forcing it to mark, for example, e-mails with somewhat common words like Amazon and fish as spam indicators.

The strange strings of words, which usually appear at the bottom of spam and sometimes in the subject line, are automatically added by spammers' mass-mailer software, according to Steve Linford of Spamhaus, an antispam advocacy organization.

"This random noise is technically known as a 'hash buster,'" Linford explained. "Hashing" is a technique used by some spam filters to quickly compare incoming mail to known spam.

"Most of the illegal-exploit spammers use hash busters and any other trick they can to get past filters, refusing to accept that people use spam filters because they really don't want spam," Linford added.

formatting link

Reply to
John Ings

I think the purpose is to get past mail filtering keywords. When you specify certain words to "pass", your mail filter won't filter those messages out.

WB ..................

Reply to
Wild Bill

They are intended to fool Bayesian spam filtering, which collects all of the words in the e-mail, selects the ones which appear most often in spams and an equal number of ones which appear least often in spams, and calculates a spam score based on that. Words which have not appeared before in either are scored at 0.40. Others work either way from that. Here is the scoring of a recent spam which just landed in my mailbox:

====================================================================== # Spamicity: 0.999895

Strongly non-spam.

# 'plate' -> 0.010000 # 'ttl' -> 0.026775 # 'makes' -> 0.147137 # 'that' -> 0.298474

Neutral -- at least this time around

# 'kartika' -> 0.400000 # 'coddington' -> 0.400000 # 'thee' -> 0.400000 # 'iso-8440-4' -> 0.400000

Strongly pro-spam.

# 'nbsp' -> 0.683439 # 'font-size' -> 0.753189 # 'html' -> 0.789474 # 'd6539' -> 0.990000 # 'affid' -> 0.990000 # 'd173' -> 0.990000 # 'x-message-info' -> 0.990000 ======================================================================

Note that it doesn't care *what* a "word" means, so you wind up with some weird things being spotted as indicators of spam. Examples are the "affid" (affiliate ID) which got a .99 score, and the x-message-info: which also got a .99. Also, the "html" tag has a fairly strong spam score, as does "font-size". Both are normally found only in spam in *my* e-mail, at least, as I have very few correspondents who send HTML e-mail.

It also learns to recognize the misspellings used to disguise words as being a stronger indicator of spam than the actual words

*correctly* spelled. :-)

For my e-mail, the only ones which tend to be missed by the spam filters are the ones which are very short, mostly with just a URL. And some URLs -- especially ones which use raw IP numbers instead of domain names -- are considered strong indicators of spam, too.

Anything which has a "Spamicity" score of 0.8 or higher is considered to be spam.

But tossing in all of those spare random words decreases the spam score -- except for those which nobody else uses, which rapidly become strong indicators of spam.

As an example, since I did my search-and-destroy run earlier today, I have gotten 18 spam, of which 17 wound up in the spam folder, and only that one (scored by a different version of the Bayesian filtering) got through. As you can see, if the one which I demonstrated had been doing the checking, it would have tossed this one, too.

These are the spam over and above the ones which are rejected because of the IP address block from which they come (including most of Korea, China, Taiwan, Argentina, and Brazil) -- and the ones rejected based on the (usually forged) envelope sender -- which may or may not match the (also usually forged) "From: " header.

Note -- that if you are reading it with a HTML-aware program, like Outlook Express, to name the most common one), it does not show you the plain text version if there is HTML, and the HTML version often sets the font size to microscopic for the filler garbage, so it gets counted, but not often seen. (One of the *many* reasons why I won't read e-mail with a HTML-enabled program.

Enjoy, DoN.

Reply to
DoN. Nichols

The only words I would like the spammers to learn are "solution" and "Portuguese" and take heed of them.

The Portuguese solution is to take criminals 200 miles out to sea, throw them overboard or out of the plane, telling them they are forgiven their crime if they swim back. Alan in beautiful Golden Bay, Western Oz, South 32.25.42, East 115.45.44 GMT+8 VK6 YAB ICQ 6581610 to reply, change oz to au in address

Reply to
alan200

What I can't understand is why spamming is a problem. It seems to me that the solution is perfectly simple: a law requiring all SMTP programs to be written so as to limit any individual to a maximum of

100 free e-mails per day. Any e-mails in excess of this number are to carry a surcharge of 1 cent per e-mail to be collected by the ISP.

Spamming is an economical method of advertising only so long as it's free.

Reply to
John Ings

If there was international leglisation in place that required that you recived a $0.01 credit to your ISP account for every email you recive and it costs you $0.01 per adressee to send an email. + if the originator cannot be traced, the ISP sourcing it pays, 99% of spam would vanish overnight. ISPs in countries that refused to comply would be frozen out as our ISPS would refuse to accept mail if they weren't getting paid.

The average user and even most businesses would be unaffected by this as on average one sends as many replies as you get incoming. Might also reduce the fowarding of bad jokes and urban legends unless they are really good :-)

The moment Cost_of_mailing / response_rate for email goes over that for paper junk mail, spam dies as a money earning business. It would also force a lot of people to secure their PCs against hackers properly :-

Connection to SMTP Server 'relay.xxxxxyyyyyzzzzz.com' refused Reason: Your ISP reports you have insufficient credit to send email

Reply to
Ian Malcolm

However, these days, most spam is sent by spammer-written SMTP engines installed by virii and through virus-installed backdoors in Windows machines belonging to people who are not interested in spamming. (Nor are they sufficiently interested in network security, it would appear.)

You think that the spammers are going to write the spamming SMTP engines to collect the fees?

And these spamming engines bypadd the ISP's mail server, so they can't keep count. (Now, if ISPs would simply block port 25 to dialup and DSL customers, these spamming engines could not work.)

Agreed.

But I got an interesting spam in snail-mail today. It was another of those mortgage spams -- and it was mailed from The same part of Florida where the most spammers are, so it seems that they are starting to be pressured to move to snail-mail. Since *they* have to pay for those to enter the systems (unless the postal permit printed on them is forged), I'm happy to see them move to paper and snail-mail. More fuel for heating the house. :-)

Enjoy, DoN.

Reply to
DoN. Nichols

Well the ISP *should* have some control of traffic for port 25 on another ISP's server going out their pipe. All it needs is a fairly simple filter that decrements the customer account for the originiating IP 1 credit unit per recipient. No remaining credit==No capability to send mail to an external destination. You could still be spammed by a compromised nachine locally on the same ISP, but if the abuse dept. cant succesfully LART its own customers, thats not an ISP, thats the UN.

Once the atandard is agreed, filter incoming international traffic by the same rules. Take a foreign ISP that refuses cooperation, +1 credit for every email sent to them. -1 for every one recived. Black hole if balance is -ve. Provide a mechanism for your users to 'whitelist' individual non-cooperating addresses so that your user is responsible for paying for their friends emails to be recived but make it x10 cost to discourage people from setting it up casually.

:-)

Reply to
Ian Malcolm

Precisely.

Reply to
John Ings

These schemes seem great, but they don't work. I work with mail systems and I've seen the mutation from open relays to distributed spam generators and everything in between.

You advocate blocking SMTP at the ISP including dialup and DSL, but that assumes that there is no reason for an ISP's customer to have their own SMTP server. I maintain my own SMTP server for business reasons and pay accordingly. I do not wish to be subject to the ineptitude or limits of the ISPs available in this area.

The pay per message wil no do any good. Spammers use guerrilla tactics, and will set up accounts, send 100 to 1 million messages and then abandon that domain and account. By the time the bill comes due it's too late.

There are lots of us that use e-mail to track things. I get 1500 messages a day from automated systems that are 'checking in'. This would break badly if an ISP were to meter messges to/from port 25. I have a 500 in for every 1 out ratio.

The real problem is 1)the ISPs that cater to spammers and 2)the unprotected systems that allow hackers to hijack them.

There are hundreds of ISPs that offer special services to spammers to help them get their message out unblocked. The make a lot of noise about being above board direct marketing groups, and some even actively court big commercial accounts (charities, non profits and others) to help keep them white listed.

And of course, the biggest issue is that the ISPs don't even prevent address spoofing at the network level, which is a major enabler for all hackers , so what makes you think the ISPs can co-operate on something like this?

Daniel

Reply to
dbs__usenet

Sending SPAM?

Then pay your ISP per message.

Cut the messages out off at 1000 per day unless payment is received in advance or a cash bond posted.

Incoming is your business. I see no reason for charging for incoming, especially since you might be being mailbombed.

Yes, and that's controllable too isn't it? Doesn't network analysis downstream at the big pipes take note of a million e-mails going out?

Wouldn't port blocking cure that?

Obviously some forensics needs to be carried out here, and some law laid down.

Can or will?

Bottom line, early usenet was invented to enable free distribution of information among eggheads. Nobody thought of mechanisms for policing what was just a community of bretheren with common goals. But now it's commercial, bigtime, and both the technology and the people involved need watching. It's like the difference between a university campus and a big city.

Reply to
John Ings

And that should be available, when you *pay* for that service. (And expect to get that port blocked if spam starts flooding through from one of your machines. I have a business account, with a T1 feed, and handle my own mail servers. I also take considerable pains that my servers can't be used for relaying e-mail by some outside party. If I can't prevent that, I don't deserve to be allowed to run a mail server.

Obviously, I can't prevent forging my address (nor can anyone -- other than by having a major legal staff to sue the socks off of anyone who does it.

Most users (dialup, (A)DSL, and cable) have no desire to run their own mail servers, and would not notice if the ability to connect outbound on port 25 were to go away. *However*, it would block the spamming engines being installed by virii and backdoors.

If you know enough to run a mail server, you should know enough to ask that the port be opened at the ISP's router.

Spammers don't use their *own* systems to send spam directly to victims. They use those systems to infiltrate other systems (usually Windows) and install backdoors (with the help of virii), and then use those systems to send out the spam -- or to send out the initial flood of the next batch of virii, to prepare for the next round of compromised machines.

Prove that you are competent to handle a mail server and the port will be unblocked. If spam starts flooding from your net, then it will be re-blocked until you clean up whatever was sending the spam.

That is long past. Most ISPs catch that happening rather quickly and shut down the system. It is done by the thousands of infected systems being controlled from afar by the spammers. You contact a system, and it sends out thousands of spam while you are telling the next one to do the same.

Many ISPs are checking what goes through their POP ports to their mail servers. And they will either totally drop, or at the least disinfect virus-carrying messages. (Unfortunately, they then send the stripped virus on, and it is now small enough so it drops below my size blocking specs, so I see those. As a result, most virii/worms also include their own SMTP engine, so they can bypass the POP filtering done by the ISP. Block the SMTP port (unless asked by the customer to not do so), and this will eliminate that path of infection.

This makes life a bit awkward for those who run legitimate mailing lists. I (currently) run one, which has about 220 outgoing messages for each incoming one, so only five in a day would take me above that threshold. I don't charge for this, I don't get any income from it, or advertising, or any other benefit other than the pleasure of enabling communications. Charging would make that impractical. (Though if I turned off all of the blocking on incoming spam sources, and just filtered that to a junk mailbox, I would be on the plus side of incoming vs outgoing messages.

However -- being paid for incoming, and paying for outgoing (at the same rates) would:

a) Make it unprofitable for spammers to operate

b) Make a tidy income from receiving spam. :-)

Yes -- and those get added to the Real-time blocklists (RBLs).

I thought that you were against port blocking, based on what you said at the start of this message.

No -- that was the person whose article you were quoting, and that original article has not arrived here yet, so I'm having to reply to the quoted text. Never mind. :-)

Note tha the only practical port to block is the SMTP port to keep outgoing virii from being sent to other systems. Virii open backdoors on hundreds of new ports each day -- some of which are intermixed with the ports for valid network services.

Oh yes -- also blocking on the port used for the pop-up spams would reduce those. That system was intended for use within a local network, so the system admin could send out a warning that the server was about to go down because of some problem. Unfortunately, that is on by default in Windows systems, and the spammers discovered this. (Mind you -- from my personal point of view, the more spammers use the popups, the less spam *I* see, as I will not let a Windows box have access to the net.

About two thirds of the spam which I receive was actually delivered by compromised systems on local mass ISPs -- Road Runner, Comcast (who have gotten better recently), Southwest Bell, and quite a few other domestic ISPs. Note that they are originating from compromised machines belonging to their customers, and bypassing the ISP's mail servers.

The rest (of what actually reaches me) comes from compromised systems around the world. Some countries seem to be generally clueless about dealing with these, and others are simply ignoring it, or perhaps even actively aiding it. As a result, I have major chunks of the world blocked. I don't need to do business (with them or anyone), and I only receive spam from them. I had thought that Korea had gotten a lot better until recently, when a temporary screw-up turned off the IP-based blocking, and I got twenty from Korea in about an hour -- something close to what I get in a full day from the rest of the world. Needless to say, that blocking got turned back on rather quickly. There are other countries which are "block-on-sight" -- something gets through from there, and I block the widest practical IP range from there as evidenced by the spam.

Which level of address spoofing? E-mail addresses can be spoofed trivially. You have to learn to read and analyze headers to tell what part is real.

IP addresses can be faked only "sorta". They can get the packet to you from a spoofed IP address, but if your end can't contact that address and continue the handshaking for the connection, it doesn't do them any good. (Except for DOS attacks, where the idea is to flood your system with incoming connections which are never completed.

Someone on your own local net can spoof an IP address successfully, unless you are using a switch instead of a hub for your connections. Once it goes through a router, it becomes a lot more difficult.

And programs like ssh compare the IP address to a signature from a previous contact with the system, to warn you about things like "man-in-the-middle" attacks.

Amen.

Enjoy, DoN.

Reply to
DoN. Nichols

Now that is a really slow internet connection, 24th Nov 04 to 24th September 05.

Alan in beautiful Golden Bay, Western Oz, South 32.25.42, East 115.45.44 GMT+8 VK6 YAB ICQ 6581610 to reply, change oz to au in address

Reply to
alan200

PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.