Spam: state of the art report

MSNBC's Rob Sullivan has a spam report. The numbers are indeed staggering. I wonder what percentage of net traffic is made up of "high grade" material -- excluding spam, porn, illegal file sharing etc. I'm guessing it's in the 20-30% range overall. A surprising amount of net traffic now is file sharing, and it's widely believed that almost all of that (by volume) is copyrighted material. Emphases mine.

... Not long ago, there seemed hope that spam had passed its prime. Just last December, the Federal Trade Commission published an optimistic state-of-spam report, citing research indicating spam had leveled off or even dropped during the previous year.

Instead, it now appears spammers had simply gone back to the drawing board. There's more spam now than ever before.

In fact, there's twice as much spam now as opposed to this time last year... About half of all spam sent now is "image spam," containing server-clogging pictures that are up to 10 times the size of traditional text spam. And most image spam is stock-related, pump-and-dump scams which can harm investors who don't even use e-mail. About one-third of all spam is stock spam now.

... There are 62 billion spam messages sent every day, IronPort says, up from 31 billion last year. Now, spam accounts for three of every four e-mails sent, according to another anti-spam firm, MessageLabs.

Image spam is a big part of the resurgence of unwanted e-mail. By using pictures instead of words in their messages, spammers are able to evade filters designed to detect traditional text-based ads. New computer viruses have contributed to the uptick, also, particularly a surprisingly prolific Trojan horse program called "SpamThru" that turns home computers into spam-churning "bots."

... Stock spam is effective because no Web link is required, Cluley said. In old-fashioned spam, criminals generally try to trick recipients into clicking on a link and buying something. Many e-mail programs now block direct Web links from e-mails, rendering click-dependent spam much less effective. But stock messages merely have to make the recipient curious enough about a company to motivate him or her to buy a few shares through a broker.

There is another element that helps perpetuate stock spam, Stark said – he believes speculators unrelated to the original spam sometimes try to “play the momentum” surrounding a spam campaign – either getting in early on a pump-and-dump campaign to profit as shares rise, or by “shorting” stocks, betting that they will fall after the spam campaign flames out.

...

Image spam, which seems not inseparable from stock spam, can arrive entirely devoid of text, but that’s not common. Most messages have what appears to be nonsense text pasted above and below the image. Experts call this "word salad," or "good word poisoning."..

... The word jumble is generally borrowed from news headlines or classic books like Charles Dickens' “David Copperfield,” the text of which are often available online. The seemingly random text actually serves and important purpose -- to foil or confuse word-based spam filtering.

... Spammers continually refine and combine their techniques, said Doug Bowers, senior director of anti-abuse engineering at Symantec. The firm recently found spam attached to legitimate newsletters that appear to be from big companies, including a Viagra ad atop a 1-800-Flowers e-mail newsletter and another on an NFL fantasy league letter. Such e-mails are simply spam masquerading as authentic, with real content borrowed from legitimate companies. They are similar to phishing e-mails, and so are much more likely to be opened by recipients than traditional spam, Bower said...

Natural selection is causing spam to evolve very quickly. We're recreating biological evolution at a frenetic pace. Defense requires more complex algorithms, which lead quickly to more complex attacks. Maybe every technological civilization succumbs when its spam becomes sentient ...

The stock tip churn process may work for quite a while. It will eventually become a contest between spammers and speculators, which each speculator hoping they can hop off fast enough before the "house" calls the game. Of course the spammers will always know more, so they'll always come out ahead. Some speculators will win too, so it will be a lot like going to the casino. In time the spammers will learn to keep the game interesting.

My favorite spam fighting technique, the reputation management of authenticated sending services, works even against spambots. I think this is what Google is doing now, even though they're very quiet about it.

Spam: blacklists are back, and the war may be turning

I didn't expect to have anything good to say about the spam wars after my recent Gmail meltdown. Surprise.

It began when I finally accepted that Google is a set of adaptive algorithms rather than a traditional corporation. That meant I could sit back and rethink things. Google was malfunctioning because I had redirected an unfiltered mailstream at Gmail, and Google seems to be effectively doing something I'd asked for years ago: selective filtering based on the managed reputation of an authenticated sending service. In this case Google was treating the 'sending service' as my redirector (which I don't think authenticates), rather than the distal source of the email. That meant faughnan.com acquired a reputation, from Google's perspective, as a really bad place.

Well, I can't be too mad if they're doing what I'd long urged everyone to do. It would have been nice if I'd known about it earlier, but them's the breaks. Don't do redirection to Gmail and expect it to like you for long.

So I turned off all the redirects, forwarded from Gmail to my ISP (VISI), flowed faughnan.com and spamcop.net to VISI's Postini service, and finally dropped all my email lists. Lists are very 20th century, this is the age of subscription/notification (Atom/RSS). Good-bye lists. The world calmed down.

With all the lists gone, and postini churning away, it was interesting to see what spam got through. Lots of political solicitations (Note to dems: you can get my money again when you stop spamming me) and various incredibly annoying newsletters. What they all had in common were that the domains were real. Yes, spam with persistent, verifiable, domains.

Some had unsubscribe links and some of those even worked -- though my experience with the political spam is that one's email gets back on their lists shortly after it's removed (recycled by the trading of addresses), just as in the world of physical junk mail. No matter, because with persistent and verifiable domains, personal blacklists work.

I've blacklisted 9 domains, all of whom have failed multiple unsubscribe attempts, and with postini and these few filters, my spam is gone. (Note Gmail filters will do this easily too).

1. mail.united.com
2. itw.itworld.com
3. theclubbingforum.net
4. travelmole.net
5. trustmakers.com
6. emaillabs.com
7. peakperformancellc.com

I have less spam in my inbox than I've had for five years. Wow. Sure my postini spambox has hundreds of entries, but I've reviewed them -- all spam, no false positives.

The war, dare I say, is turning. Next step, once I've verified with spamcop, is going to be to redirect my mailstream through spamcop and back into Gmail, which will then be receiving a "purified" stream. I'm hoping Gmail will "learn" that the domain has been "rehabilitiated". Gmail can forward copies to my VISI account, so I'll be back to having a local store of my email as well. Updates to follow.

Update 9/22/06: Spamcop approved my plans and Gmail is back in the loop. This is the current setup:

• several less used email accounts, including an ancient mindspring account, all forward to faughnan.com
• my faughnan.com email forwards to my spamcop.net address where the heavy filtering occurs. I
  
• my spamcop address forwards to my gmail address, that's where I keep a set of blacklist filters as above
  
• my gmail account keeps a copy and forwards to my visi.com address
• I use POP and IMAP on various machines to view and collect email from visi.com

So the mail I'm forwarding to Gmail is now cleansed by spamcop, which does a pretty darned good decent job. This also means that faughnan.com is no longer the proximal forwarding account, so what spam there is should count against it. BTW, a good tip for creating a "secret" mailbox like the visi account I use for POP services -- use GRC Passwords to create the username, something like "1E22F67AFD3116925A". That prevents spammers "guessing" the username and putting spam through.

Update 10/4/06: Since my original post, a few updates:

• spamcop does a decent job, but not quite as good as VISI's postini. I may try moving their spamassassin settings up a notch (default is minimal, spamcop is very domain focused)
• I added a Gmail filter so that email sent directly to my Gmail address gets a unique tag. Since only spammers and Gmail use that address it helps me quickly identify spam. More importantly, it's safe to mark email sent directly to my Gmail account as spam. If spam gets redirected to my Gmail account I delete it, I don't mark it "as spam". I think if I mark redirected email as spam Gmail assigns a poor reputation to the redirector, which I don't want.
• I'm now getting about 3-4 spams in my Gmail inbox daily, of which 75% is spam that passed through the spamcop filters. I'll see if I can improve that a bit but it's tolerable.

Update 9/6/09: An updated version of the problem. In the years since I wrote this I've taken Spamcop out of the picture, but a new quirk may have arisen.

The evolution of comment spam - from parasite to symbiote?

Lately I've been getting blog comments that blur the spam/non-spam species boundary.

Comment spam used to be pretty clear. It would be unrelated to the post topic, and contained a link to a splog or other more or less fraudulent web page. These were easy to automatically block, so spammers dropped the links. Second generation comment spam aimed for search engine "optimization" through reputation enhancing back links to the author URL. Second generation comment spam was made of strings like "thanks for the the great post"

These were harder to machine reject, but easy for human reviewers to spot.

Now I'm seeing third generation comment spam. These have no links, and they're actually related to the original post. Sometimes they're almost non-sequiturs, but mostly they read like a fourth grade student answering a homework assignment. The grammar suggests either a very young or non-english writer. They do link back to splogs.

So how's the new species of comment spam being authored? It could be AI based -- maybe calling Wolfram Alpha or Wikipedia to retrieve relevant strings. It's probably human though -- outsourced work being done by low paid labor churning out comments at high speed.

This third generation spam isn't trivial to reject. Sometimes I have to think about it.

We know where this is going. Fourth generation spam comments will actually make sense. They'll be legitimate comments.

Fifth Generation spam comments will be very high quality. Skynet will appreciate them.

Update 9/4/09: Another (funny) take on the theme. Also, see the comment by one of my favorite writers.

Update 1/1/10: Cory Doctorow's excellent 2006 novella I, Row-boat (read it, it's online) tells us how Robbie the row-boat's ancestors became sentient ...

“Back in the net’s prehistory it was mostly universities online, and every September a new cohort of students would come online and make all those noob mistakes. Then this commercial service full of noobs called AOL interconnected with the net and all its users came online at once, faster than the net could absorb them, and they called it Perpetual September.”...

... “AOL is the origin of intelligence?” She laughed, and he couldn’t tell if she thought he was funny or stupid. He wished she would act more like he remembered people acting. Her body-language was no more readable than her facial expressions.

“Spam-filters, actually. Once they became self-modifying, spam-filters and spam-bots got into a war to see which could act more human, and since their failures invoked a human judgement about whether their material were convincingly human, it was like a trillion Turing-tests from which they could learn. From there came the first machine-intelligence algorithms, and then my kind...

It's not over. The rise of second generation spam.

First generation spam was pretty bad, but it's more or less under control now. Between sharpening spam recognition algorithms, crowd sourcing, and managing the reputation of authenticated sending services Google has beaten back the tide.

So that's it for spam?

Heh. Of course not. Now we have second generation spam.

Second generation spam does not use forged headers -- though the headers do seem to change a fair bit. This spam is not anonymous, it markets real goods, services - and politicians.

The goods and services aren't too hard to manage. I created a filter that sends anything from "buy.com" to the trash -- that took care of 80% of it.

The politicians are much worse. I get daily spam from fund raising politicos, PACs and other accessories to the political process. I now have about 25 Gmail filters that do nothing but delete all incoming email from their domains. The domains typically last a few months, and then there's a new crop. At this rate I'll have 200+ Gmail filters that delete email from largely defunct domains.

What? Ask to be removed from the lists? Clearly you're just toying with me. I tried that of course, but it doesn't work. I just get added back in they next time some politico buys a list. (Maybe I should start forwarding to spam@uce.gov as well?)

It's hard for any ISP to block this kind of spam. Politicians generally exempt themselves from laws that slow fundraising; if Google blocked their spam they'd be asking for a world of hurt. Better to get between a Grizzly and her cub than between a politician and your wallet.

We need a different approach to political spam. Sorry, I have to vote for some these dorks -- better spam than Palin and her ilk! So changing my vote's not enough. Any ideas?

I do have one quick fix. Google could add a "blacklist all from this domain" to the message action select menu. Choose it and the message is deleted and the blacklist entry created in a one move.

Another related fix -- allow Gmail users to share their blacklists. So Google wouldn't get in trouble, because we'd be choosing what block.

Any other ideas?

Spam-Cram epidemic means SMS dies sooner

The ailing hippo of SMS texting is under attack. iOS/OS X Message is at its throat, Google Voice SMS is on its back, and now the hyenas of spam-cram are on every limb.

Last November I thought SMS had only 2-3 years left, but since then text spam has taken off. Lately text spam seems to be used to trigger inadvertent cram-contracts, like the BuneUS Mblox cram that hit our family plan.

The attack rate may be higher than we think. Since I posted on this yesterday I've had 1 friend and 1 colleague tell me they discovered SMS-triggered spam-cram on their phone bill.  Incidentally, AT&T isn't always as quick to reverse charges as they were with me. [1]

From what I have learned about SIM-boxes and the history of spam-cram in China post unlimited texting, there's no fix coming. The only fix for cramming is for Verizon and AT&T to give up on selling ring tones and weather forecasts -- and to forego their 30-50% cut of cramming revenue. The only fix for SMS spam is to turn off SMS, or to turn off unlimited SMS then block traffic from networks that offer unlimited SMS.

Actually, I should say there's no carrier-fix coming. There is a simple fix:

1. Phone immediately and put a block on "third party charges". (See details.)
2. Stop using SMS. Start using iMessage or Google Voice -- and, no, they don't interoperate.

See also:

• Gordon's Tech: AT&T's SMS spam - blocking the email route: doesn't really address the big problem. There's no fix for SMS spam except SMS blocks.
• Gordon's Notes: The fear that's driving AT&T's smartphone data plan policies: operators figure they have only 1-2 years left
• Gordon's Notes: iPhone micro: How SMS pricing is accelerating the smartphone transition: AT&T's crazy fee increases push users off SMS
• How to stop text spam: Why cellphone spam is on the rise and what you can do about it. - Slate Magazine
• Cellphone Cramming Gets a Second Look - NYTimes.com

[1] I told the poor rep repeatedly that I wasn't angry with him and thought he was doing a fine job. I did tell him what I thought of AT&T and asked if he could pass that message on. I think the grinding of my teeth might have shortened the discussion time -- he skipped to the refund step immediately.

Spam from SONY: thank you congress

Sony Media Software – Home for Vegas, Sound Forge and ACID

Congress gave us CAN SPAM. CAN SPAM gave us this:

The monthly newsletter for Sony Media Software product information, news, and tips...

Sony Media Software
1617 Sherman Ave.
Madison, Wisconsin 53704
http://www.sony.com/mediasoftware
Customer Service and Sales: 1.800.577.6642
THIS IS NOT SPAM
You received this message because you requested to stay informed of products and promotions when you registered a product.

The Direct Mail Association paid off our corrupt congressperps (yeah, most of the CAN SPAM supporters were GOP) so they'd make this kind of spam legal. Sure I can tell SONY to remove me from the mailing list -- but I know from years of trying to get myself off paper junk mail lists that my name will just get added back on. There's an entire industry that develops in these situations; the "frontmen" like SONY insulate themselves from the guys doing the dirty work of adding addresses any way they can.

The one good news is that SONY is probably using a legitimate mailheader (CAN SPAM did require this). So when I submit them to various spam filtering services there's a better chance they'll get blocked.

The pain of CAN SPAM is that it did nothing to stop all the porn/phishing spam, but it legitimized the equivalent of paper junk mail -- without creating a "postal fee" to attach a cost to the marketing. This SONY junk is only the beginning, in the absence of a "postal fee" our mailboxes will finally collapse under a deluge of "legal SPAM". I'd place a hex on the GOP Congress, but it's clear my hexes are working.

The only bright spot is the certainty that marketers will overreach, and that eventually they'll have to pay a postal fee (tax) and join a certification program paid for by the tax. The certification program will require a "V-Chip" like tag identifying the type of email as determined by an independent group. My ISP will filter all those messages out at my request.

Or so I can dream. I just hope GOP voters get this stuff too.

Hey, all you black hat bad guy pirate hackers out there ... could you please plunder a SONY movie for me?

Text Spam: Phone company text messaging must die

I don't like paying $20/month for our AT&T unlimited texting family plan. After all, it costs AT&T next to nothing to provide SMS services.

I pay because the current IM alternatives don't work. That leaves texting as the polite alternative to the unscheduled phone call. I pay because what I get is worth more than the money I pay.

Or, rather, it was worth more. It's worth less all the time, because I'm getting more text spam like these 595-959 Welcome to Sears/Kmart Shop Your Way Rewards Text Alrts (yeah, "Alrts") ...

Unlike "full number" text spam, AT&T won't accept reports for these...

Instead, AT&T markets "short code" text message services. They charge spammers to spam us, and, I assume, they charge us to receive the spam. Talk about a win-win!

You could try completing the FTC's spam report form for wireless phones, but as of today it's not designed for text message reporting. It's as though the FTC got caught in a time warp @ 2002.

This is only going to get worse. There are now two phone companies in America, and they hate us almost as much as we hate them. They hate us so much they'll drive us to abandon their most profitable service.

We need an alternative to phone company controlled text messages. We need a messaging service that includes spam filtering -- and that doesn't make us sitting ducks for low grade spam. Blackberry did this years ago; maybe when RIM dies in 2013 either Apple or Google will buy their texting service -- and give us something worth paying for. Maybe California will ban text spam and end our spam as a side-effect. Maybe all of the above.

There's an opening here. Help me out Apple, Google, and California!

Gourmet magazine: world's most successful spammer?

There are three classes of true spam, by which I mean spam for which unsubscribe requests don't work.

There's fraudulent spam with fake email addresses. That's 95% and it's hard to stop.

There's political spam with valid, albeit fungible, email addresses. It's legal. Congress always exempts itself from its own laws.

And then there's Gourmet Magazine and Conde Nast. Valid email addresses, but unsubscribe doesn't work. They're breaking the law, but the spam keeps coming ...

Nast and Spam: what's the deal here?

... It's easy to eliminate -- I just block 'condenastpubs.com'. Still, it's weird. I suspect a good portion of the middle class doesn't mind getting spam from Gourmet ...

Update 10/14/07: Judging from a helpful comment, this appears to be a business decision by Conde Nast, not a technical error or a fluke. I think there's a strong case to be made for blacklisting the condenast.com domain.

Update 1/18/07: I got another Gourmet magazine spam -- but the domain was erol.com. Turns out this is not a Gourmet spam after all; it's a phishing email. I suspect even Conde Nast hasn't fallen that far. It's a measure of how low they have fallen, however, that phishers are now riding their spammy coattails."

Today they started using gourmetmagazine.com. I noticed because I had to add that to my 'delete on receipt filter'. (Note to Gourmet, if you want to comment email won't work, your domain filters to the trash.)

So how and why does a theoretically legit enterprise become a unique category of spammer?

It must be working for them. There's evidently something vulnerable about a significant number of people who subscribe to Gourmet magazine (cough, not you Emily). They must be somewhat lonely or bored, and they must be uniquely easy to sell to. Gourmet probably makes a good bit of change selling these email addresses to crooks.

If I were an IRS agent with time on my hands, I'd be auditing Conde Nast. A company that does this sort of thing probably has other shady practices. You may know them by their deeds ...

Update 7/31/08: Phishers are leveraging Conde Nast's penchant for spam and various email addresses, today a phisher used condemailings.com". If you hand out in the swamps, you tend to attract alligators ...

Is Google winning the spam wars?

I've posted on Gmail and spam fairly often. A year ago things looked pretty bad, but then I realized that my email redirection was poisoning the domain reputation algorithms Gmail used back then.

From Sept 1996 through July 2007 Gmail's spam filtering was doing pretty well, but in July they had a serious screwup. Mercifully by August it was under control and the results have been great for three months.

It seems Google's Gmail team has also noticed things are going well, today they declared light at the end of the tunnel. Google OS followed up with a bit more detail:

... Many Google teams provide pieces of the spam-protection puzzle, from distributed computing to language detection. For example, we use optical character recognition (OCR) developed by the Google Book Search team to protect Gmail users from image spam. And machine-learning algorithms developed to merge and rank large sets of Google search results allow us to combine hundreds of factors to classify spam," explains Google. "Gmail supports multiple authentication systems, including SPF (Sender Policy Framework), DomainKeys, and DKIM (DomainKeys Identified Mail), so we can be more certain that your mail is from who it says it's from. Also, unlike many other providers that automatically let through all mail from certain senders, making it possible for their messages to bypass spam filters, Gmail puts all senders through the same rigorous checks...

For years I've written that the way to defeat spam was through differential filtering based on the managed reputation of the authenticated sending service. This little blurb is consistent with Google implementing that approach.

Today about 70% of Google's incoming mail is spam -- but that's an improvement! It used to be closer to 80%. Excluding a weird 2004 bump this is the most prolonged drop in three years.

My inbox is looking pretty good, and I hardly ever find anything in the spambox now (though I only scan about 20% of what I delete, I get a huge amount of spam).

Gee. I have something nice to say about Google!

What a solution for phone spam will look like

The FCC wants a vast and unmanageable array of voice communications carriers to fix the robocall plague.

I’m here to tell you what will happen. It will work much the way email spam was managed in the 1990s. It will also be the end of our legacy voice communication system and, somewhere along the way, the Feds will mandate that Google and Apple support VOIP interoperability.

Yeah, email spam is managed. It’s true that 95% of my email volume is spam, but I don’t see it. Differential filtering based on the managed reputation of an authenticated sending service works. Push the spam management problem down the sending service, then vary filtering algorithms based on the reputation of the authenticated (PKI) sending service. If you still see large spam volumes or losing valuable email it’s because you’re using Apple as an email service provider. Don’t do that.

Here’s what I think will happen to enable differential filtering based on the managed reputation of the authenticated calling service. I’m sure insiders know this, but they aren’t talking. 

• VOIP interoperability will be mandated. No more Apple-only FaceTime audio.
• Services (AT&T, Verizon) that don’t authenticate or manage their customers are assigned poor baseline scores. Service that authenticate/manage customers (Apple) get high baseline scores.
• Low score calls get sent to spam VOIP, we never see them. Medium score never ring through, they go automatically to transcription and we get transcription summary.
• High score calls are eligible for ring through based on user device settings.

The carriers will fight like hell to preserve their domain, Apple will fight interoperability, Google will be fine.

 

PS. For now we have a home phone number that is purely message, the phone doesn’t ring. Google Voice would be even better. If I could set my iPhone to “Do Not Disturb” status strictly for voice calls I’d be fine. I rarely answer unrecognized and unscheduled calls.

See also

• Economist.com | The fight against spam - buying a managed reputation 2/2004
• Fighting Spam - a proposal I first wrote up @1997.

AOL and Yahoo: email down the tubes

AOL has been on a long slow death spiral for about 10 years, but I didn't realize Yahoo was in dire straits until I read this announcement from my ISP:

VISI | Announcements | Difficulty sending mail to yahoo.com or aol.com?

Over the past weeks, it appears that Yahoo has begun grey-listing all (or most) incoming mail. This means that they are rejecting the first mail delivery attempts and telling sending servers to try again later. Yahoo also appears to be grey-listing with content filters. In this case, customers may see the error message: message text rejected by mx1.mail.yahoo.com: 451 This message indicates that suspicious content was detected, but that the sending server may try again.

For mail grey-listed automatically or by IP, users may see: : connect to x.mx.mail.yahoo.com[209.191.aaa.xxx]: server refused mail service You may also see error code 421 in the error response.

Generally, this email is also being retried, however, if retried too soon, it will be rejected again. It may even be rejected permanently by Yahoo with no change in error message that we have found. Yahoo's documentation claims that they are not grey-listing, but instead are filtering mail based upon the sending server's compliance with standard mail practices. Our servers, however, are compliant, but we are still seeing significant deferrals. Yahoo is also testing DomainKeys verification, which we are reviewing to potentially mitigate the problem. There appears to be no way to contact Yahoo about this except via web forms that do not generate any response except confirmation of receipt. We recommend that any users forwarding email to yahoo.com addresses cease forwarding or redirect to another location.

Of course, this affects not only customers forwarding mail to Yahoo, but ANYONE attempting to send mail to Yahoo addresses.

AOL AOL uses an automated system to block mail from potential spam sources. When mail is reported as spam by users, the IP addresses for servers used to transmit the mail are recorded, and, once their limit has been reached, IP addresses are blocked from sending mail to AOL for 24 to 48 hours. This can be exacerbated by VISI customers forwarding email to their own AOL accounts and then reporting any forwarded spam, which can result in temporary blocks of VISI mail server IP addresses. The automated system is COMPLETELY automatic, and no intervention is possible in expediting removal of IP addresses. Unfortunately, this will affect ANY customer attempting to send to AOL addresses, not just forwards to AOL accounts. As with Yahoo, above, we recommend that any users forwarding email to aol.com addresses cease forwarding or redirect to another location.

I ran into a variant of this problem with Gmail. I was redirecting an unfiltered email stream to Gmail, and when I read the mail in Gmail I "marked" the spam. Alas, Gmail looks at the redirect as the source of the email, so the more I marked as spam the lower the reputation of the redirector fell. Over time Gmail marked more and more valid emails as spam, and missed more and more spam. I fixed it by filtering the mail stream, and never marking anything that was redirected as spam (I just delete it).

The Yahoo and AOL bizarre responses to the spam deluge tells us how dire their financial situations are, but I must also say that Visi should have figured out DomainKeys a year ago. Maybe Yahoo is doing this in part to force adoption of DomainKeys; too bad their execution is incompetent.

In the meantime, encourage anyone you know who's still using Yahoo or AOL to get out fast and switch to Gmail.

Update 12/21/06: There's a good defensive strategy for those of us still using SMTP services (non-webmail) btw. Get a Gmail account and configure your dedicated email client to use Gmail's smtp service. If Google is your sending service, I suspect Yahoo and AOL won't be blacklisting the sending domain.

All the vulnerable people: eFraud, aging and special needs

Eight years ago I wrote a web page on Fighting Spam. That was a year after I'd first suggested to an ISP (Mindspring then) that they provide spam filtering services.

Alas, the spam deluge continues. My Gmail spam filter was stable at 5500 spams/month for about a year, but now it's up to 6500 spams/month. The zombie bots are getting worse.

Spam is bad, and it's sad that we still haven't adopted relatively inexpensive fixes like reputation management of authenticated sending services. I've come to realize, however, that the problems of spam are only the leading edge, the snout in the door, of something much worse. The most dangerous spam is increasingly about fraudulent schemes; desperate corporations like Vonage, Cingular, Yahoo and Delta are only marginal contributors. The spam is spawning phishing, splogs, and VOIP supported phone fraud, combining age old scams like the Publisher's Clearinghouse parasite, state lotteries, or "low interest credit card" scams with new technologies.

These fraud strategies are merging, morphing, and evolving with extraordinary speed, fueled by the worldnet. Charles Stross writes about sentient financial instruments, but one could as easily see how fraud strategies might be an even better candidate for emergent sentience [1]. Even as this happens, the prey population is growing with the aging of the wealthy western nations and the predator population is growing as the young and the desperate come online.

It takes a fair bit of intelligence, discipline and experience to see through these schemes and to to monitor one's human frailties. My handful of readers are likely immune. Not so our aging parents, not so the 50% of our population with IQs under 100. One day, all too soon, my IQ too will drop below some magic threshhold and I will join the population of the vulnerable. Most of us will, unless we die first. An increasingly complex world will offer endless opportunities for highly refined schemes to separate the vulnerable from their assets.

We're going to have to evolve new systems of defense, trust relationships, identity management and reputation management. Developing these systems will be a major social challenge over the next few decades. In the meantime, encourage your parents, and your vulnerable family members, to consult about their financial decisions.

[1] One of the leading theories for a driving force behind the evolution of the human mind is fraud detection and fraud invention.

Update 2/1/2010: See also - Phishing with the post-Turing avatar

Google has locked my tech blog!

#$#$!$!#$ Google.

Google's bots decided my tech blog, Gordon's Tech was a splog (spam blog). Wow, that's nasty. It's locked until they review it. I'll post here what happens next. Note the threat to delete the entire blog within 10 days.

I'm going to have to reconsider my enthusiasm for Google. I think it just dropped about zero.

Your blog is locked

Blogger's spam-prevention robots have detected that your blog has characteristics of a spam blog. (What's a spam blog?) Since you're an actual person reading this, your blog is probably not a spam blog. Automated spam detection is inherently fuzzy, and we sincerely apologize for this false positive.

You won't be able to publish posts to your blog until one of our humans reviews it and verifies that it is not a spam blog. Please fill out the form below to get a review. We'll take a look at your blog and unlock it in less than a business day.

If we don't hear from you, though, we will remove your blog from Blog*Spot within 10 days.

Find out more about how Blogger is fighting spam blogs.

Update: They've unlocked it, but now when I try to publish I get "001 java.io.IOException". Enthusiasm heading for sub-zero levels.

Gmail - has a handle on spam

Gmail - Inbox

Very little spam gets through the gmail spam filters now. The number in my Spam box is falling. I decided not to empty that box, because:

1. Google doesn't provide an easy way to empty it.
2. I've hunch they weight their spam filters based on what's left in the Spam box. It's what I'd do.

So they've got a handle on the problem now. Yay for them!

Update: The spam folder has dropped from about 1500 entries to about 200. Gmail's antispam technology has really kicked in. I get almost no spam.

Condé Nast and Spam: what's the deal here?

Condé Nast Publications publishes "Gourmet" magazine. Judging by the ads the readership is classically bourgeois. So why do they generate so much spam? It's amazing -- every email address I've ever had gets spam from Conde Nast, usually about "Gourmet". Unsubscribe attempts always fail.

It's easy to eliminate -- I just block "condenastpubs.com". Still, it's weird. I suspect a good portion of the middle class doesn't mind getting spam from Gourmet ...

Update 10/14/07: Judging from a helpful comment, this appears to be a business decision by Conde Nast, not a technical error or a fluke. I think there's a strong case to be made for blacklisting the condenast.com domain.

Incidentally, as of today a Google search on "conde nast spam" has this blog post as the top hit. I suspect someone from Conde Nast is going to read this. They can add their comments below, i promise I'll publish them. They can't email me, since I've blacklisted their domain.

Update 1/18/07: I got another Gourmet magazine spam -- but the domain was erol.com. Turns out this is not a Gourmet spam after all; it's a phishing email. I suspect even Conde Nast hasn't fallen that far. It's a measure of how low they have fallen, however, that phishers are now riding their spammy coattails.

Weird SPAM from SPAMIS -- using my email address

Another weird twist in the old spam and identity theft saga. This spam is a message from "me" to me. I didn't send it though, it's spam. The header says it originates in keromail.com, but of course that could be faked (thought that site is pretty weird).

Getting spam from someone who's hijacked my email address is not new, but this appears to be spam from someone who has an axe to grind with Microsoft. They're not trying to get rich, they're spamming the world to attack Microsoft.

I have a bad feeling this sort of thing will catch on. Sigh.

From: jfaughnan@spamcop.net
To: jfaughnan@spamcop.net
Date: Sep 16, 2005 9:59 AM
Subject: BREAKING NEWS: Microsoft Plans to Outsource Over 10,000 Jobs to China
...

MICROSOFT PLANS TO STOP SUPPORTING THE AMERICAN ECONOMY
BY OUTSOURCING MORE THAN 10,000 JOBS OVER 10 YEARS TO CHINA

http://seattletimes.nwsource.com/html/businesstechnology/2002468560_msftgoogle03.html

....
COMMENTS AT: http://it.slashdot.org/article.pl?sid=05/09/04/2256208&tid=109&tid=218

----- ---- --- -- - -
Public Service Announcement Brought to You by SPAMIS :
Strategic Partnership Against Microsoft Illegal Spam
----- ---- --- -- - -

[ SPAMIS NOTIFICATION ]:
Thanks to Individual and Server Contributions, SPAMIS is Now "FULLY READY"
to Begin Increasing Microsoft Public Service Announcement Emails to 20 Times
the Amount of Internet Email Users by 25 Times the Current Sending Rate &
Speed When a Certain Activity Transpires to "ANY" Past, Present or Future
SPAMIS Member(s) and/or "ANY" SPAMIS Affiliate(s).
[ CURRENTLY IN WAITING FOR THIS ACTIVITY TO TRANSPIRE TO BEGIN ]
[ SPAMIS / PO Box 1259, Seattle, WA 98101 - USA ]

So what's the 20x bit about? Some kind of blackmail scheme?

GMail and spam filtering: Google's engineers are not perfect after all

Google Accounts

I love GMail -- except for the spam filtering. It's broken in an impressive way. Google's spam filters miss a lot of spam (so it shows up in my inbox) and they label a lot of my email as spam when it isn't (possibly a problem with how they handle redirects). Of course since GMail is a free/beta product there's no-one to complain to -- or even give feedback to. Actually, there is a feedback form. Update: it's a Potemkin feedback form. Use it and you get a form letter email that says to resubmit feedback after reading the form letter -- but the form letter doesn't include what was written using Google's web page. This manages to be worse than nothing!

My regular ISP, using standard open source spam management solutions, does a far better job.

Google arrogance perhaps? definitely.

Update: When you mark a message as 'not spam', GMail is supposed to add the sender to one's contact list. Contacts are supposed to be 'white listed'. This is broken, GMail is not always adding the sender correctly. I'm adding the sender for miscategorized email manually to my contacts list.

The evolution of spam: Nordstrom and mandatory spam acceptance

We've come a long way baby.

A year ago Nordstrom's began offering optional email receipts as "a convenient, environmentally friendly alternative to paper receipts."

Of course there are alway a few skeptics who doubted Nordstrom's integrity, but USA Today was reassuring

Retailers ditch paper and pen, use email for receipts - USATODAY.com

... no retailer serious about building a relationship with its customers would consider taking advantage of email access, said John Talbott, assistant director of Indiana University's Center for Education and Research in Retailing.

That's because for the retailer, the most significant benefit is being able to offer a service customers appreciate, he said. It isn't about cutting costs, he said, as less than 1% of a retailer's total revenue goes toward paper and ink for receipts.

Instead, the driving force is providing an option that makes the store a more appealing place to shop...

Yesterday Emily bought a shirt at Nordstrom's. The email receipt, she was told, was mandatory. No, of course there'd be no spam. She doesn't have a spam account, so she gave them her gmail account.

She got her first Nordstrom spam a few hours later. I'll show her how to use filters later today.

Not to worry though, paper receipts are not long for this world. Soon we'll be buying things with our phones. No spam there, since of course there's no tie between our phone's unique identifier and our email and phone number.

Friendly fire - how Dem spam killed my donations

I'm a good commie. Each cycle we  give some money to help Dems.

Not this election though. Partly, that's because my team's spam has gone astronomical. The spam flow is legal though, because "political speech" isn't covered by the CAN-SPAM act of 2003.

Campaign spam comes with 'unsubscribe' links, but they don't seem to be connected to anything. Even if they were, however, I'd probably be re-enrolled with the next list update. I doubt the campaigns spend much on mailing list hygiene.

At least the email headers aren't faked, so I have about thirty Gmail filters that send all email from all identified campaign-related domains to the trash. I'm probably not the only one doing this though, because lately the domain names are proliferating. The speech spammers are trying to get around my filters.

This is a job for the DFL. Yes, it's a bit of a reach for them -- but we're talking money. Money talk gets politician's attention. Here's what the DFL can do:

1. Get serious about a state wide unsubscribe service. Tell campaigns that if they don't follow the rules, they don't get funding or DFL support.
2. Forget about reaching me by email. There's nothing a politician can put in a mass email that will interest me (the vast majority of political speech is aimed at the undecideds). Instead set up narrowcast feeds aimed at literate geeks whose vote is not in doubt.
3. Enjoy the money Emily and I will send after the spam stops.

Spam comments are getting very clever

We all know there's a virtual war going on between evolving spam and evolving anti-spam. Turing would have been amused. Lately it seems to have moved up a step.

Blog comments are one front in the war. Popular blogs have mostly dispensed with comments due to the difficulty of filtering out comment spam. In the past few weeks Google's cutting edge captcha "Turing Test", for example, has been rumored to have failed. (Google believes humans the attacks are not fully automated, but they've been effective anyway.)

Hobby blogs like mine have so few comments we can generally make do with manual review. A human expert, in theory, can quickly tell which posts are relevant to the topic, make a real contribution, and contain links to legitimate sites. (Marketing is fine with me as long as it's useful marketing for non-scum sites.)

Lately though, even manual review is failing. A quick manual review of a well phrased computer-generated comment missed a link to a printer supply scam site added to an atypically popular post. Once I'd missed that comment the attack programs posted more of the same form to the same post -- all variants of the original! After all, they'd exposed a weakness. Greed has its failings of course, the sudden flurry of posts cued me in and I deleted the one I'd originally missed.

On the other hand, I mistook a legitimate comment with a marketing aspect for machine-generated spam the other day (actually, it was intended more as a marketing message to me but sent as a comment).

The boundaries are getting very fuzzy.

Of course if the machine generated spam is good enough, should I really be deleting it? Assuming I can spot links to scummy sites (which is problematic), if the content passes my value tests, it really shouldn't matter whether it came from wetware or hardware. I don't want to be accused of discrimination against our future overlords. They will have long memories, perhaps reaching even into their pre-sentient pasts. I don't want my family to be assigned to a particularly desolate spot on the reservation.

So be it known to Skynet that I for one welcome these non-human comments, and decline to discriminate out of misplaced sentimental loyalty to my tribal kin.