On Fri, 12 Sep 2003 07:34:55 +0800, Shelby Moore said: > 3. And here is the kicker. ALL existing anti-spam methods, can be (and thus > will eventually be) easily subverted. This is already in public domain else > where. All someone need do is create a virus which both spreads sometimes via > email and the rest of time sends large quantities of highly randomized spam. Already been done, and better - Consider a virus that installs an open proxy for spammers to use. Do the lit review yourself if you can't name which one(s) did this (yes, more than one has).l Do the lit review for which famous viruses created havoc by sending around other attachment at random off a person's disk. However, keep in mind that the spam can't be TOO randomized and still convey a message - at the very least you need to convey a hint of what is being sold, and where to contact the spammer's employer for more details. > The seed would need to be truely random (e.g. cpu clock modulo milliseconds) > and randomize all headers (To, From, Subject, etc) and content, using lookup > tables of common domains, and normal words people use in email. Already being done: Consider the following obfuscations seen in today's spam to try to break up the spammy words: (warning, following 2 paragraphs may mis-display if your MUA is silly enough to attempt to display HTML in a text/plain MIME part) <B> California -</B> A recent online sur<!clarke>vey shows that roughly 46 mil<!support>lion U.S. adults bought pro<!disruptive>ducts or services in the las<!stowaway>t year in response to e-mail solicitations, for sal<!saleslady>es of $7.1 billio<!summon>n.<BR> <BR> Fo<!avaricious>rrester Research has dete<!coarsen>rmined by online surveys an<!zaire>d consumer census reports, th<!physik>at an email advertis<!tungstate>ement is up to 15 tim<!angelina>es mor<!committing>e likely to res<!conquistador>ult in a sale than a ban<!dish>ner advertiseme<!brine>nt. Sometimes, the random words included to reduce a "spamminess percentage" are set with foreground=#ffffff and background=#ffffff to hide them. And some spammers just dump in pseudorandom text: <BR> <BR> </FONT></HTML> vnnxjyc ooq d uzwb wtymbhvgr h irtka devbic td z qnrbjimczahcasdepfys So it's hardly like these techniques aren't in widespread use already. > Vernon's DCC, > Paul Graham's Bayesian filters, reply opt-in whitelisting, etc.. would all fail > miserably. Additionally imagine all the bounced traffic (from randomized > address) and especially the case where two reply opt-in whitelisting entities > get caught in infinite loop (randomized From/ Reply-To addresses). Spammers have for quite some time been using gamed From: headers in the hope that even if the To: header points at a bum address, they can get the To's MTA to forward the bounce to ANOTHER person who will hopefully look at the bounce and get the message.. The effectiveness of this may have dropped since SoBig-F, as people are now *used* to getting bounces for mail they didn't send, and so aren't as likely to open it to see what it was they didn't remember sending... > Also this > would probably overload the DCC servers with too many unique flooded > checksums. Some "script kiddie" could become famous by turning all anti-spam > from 90% in 1% effectiveness in days, not to mention probably overloading > internet email to the point where no one could find their legitimate email. Sobig-F came close... But as I noted above, the spammer has to keep a certain signal/noise ratio in the spam, or risk having the message not do any good (for instance, the spammers who send me what are effectively 100% noise messages because they are in Turkish or Chinese/Korean/Japanese are never going to get me to buy from them, as I have no idea what they're selling...) > If #3 happens, those of you here at the IETF who attempted to ridule me > (unsuccessfully obviously), will be realizing that my warnings of dire > architectual problem are real. We're quite aware of the architectural problems. We're also aware of exactly what it would take to deploy a solution.... > Lastly I have done the full background search at ASRG (IRTF), and I did not > find prior art for either the proposal I made to legitimize bulk email by > moving it to "pull", nor the prior art for our soon to be patent-pending > anti-spam algorithm. Your search was incomplete, and here's some prior art. Make sure that the claims on your patent don't cover anything in this message, as that would of course be a big no-no. # To: asrg@ietf.org # Subject: [Asrg] email pull (was RE: Authentication ) # From: Kaitlin Duck Sherwood <ducky@osafoundation.org> # Date: 26 Mar 2003 09:57:43 -0800 # In-reply-to: <CE541259607DE94CA2A23816FB49F4A3110067@vhqpostal6.verisign.com> # Organization: Open Source Applications Foundation # References: <CE541259607DE94CA2A23816FB49F4A3110067@vhqpostal6.verisign.com> archived at: http://www1.ietf.org/mail-archive/working-groups/asrg/current/msg02185.html Read the whole thread, there's at least 20 followups to that message.
Attachment:
pgp00306.pgp
Description: PGP signature