Date: 2005-11-10 08:56:00
Tags: email, spam
interesting email surprise

I received the following message yesterday, and it almost had me fooled:

From: "Jamie" <jamie.andrews@totalbusiness.co.uk>
To: <greg@hewgill.com>
Subject: Photo Approval
Date: Thu, 10 Nov 2005 03:31:07 -0600

Hello,
Your photograph was forwarded to us as part of an article we are publishing for
our December edition of Total Business Monthly.
Can you check over the format and get back to us with your approval or any
changes?
If the picture is not to your liking then please send a preferred one.
We have attached the photo with the article here.
Kind regards,
Jamie Andrews
Editor
www.TotalBusiness.co.uk
**********************************************
The Professional Development Institute
**********************************************

I had received a legitimate message a few days ago from somebody in Germany asking to use one of my pictures in an architectural publication of some kind (I gave them permission). Initially I thought this might be related. Then I noticed the attachment:

[-- Attachment #2: Photo+Article.exe --]
[-- Type: application/octet-stream, Encoding: base64, Size: 13K --]

It's an email virus! Luckily I handle my mail using mutt on freebsd, so it would have been several more steps for me to "open" the attachment, so I didn't run it. It's amazing the lengths to which these virus authors are going to try to trap people.

In related news, I'm still getting fake-rolex spam which spamassassin is still marking as BAYES_50 (which means spamassassin thinks it's middle of the road, no sign of spam). Every one of those damn things I run through sa-learn to teach it, but the people who write those have found that the english language is extremely flexible and there are a million ways to package their sales pitch.

Spam is starting to become overwhelming again. Whatever happened to SPF, anyway?

[info]mskala
2005-11-10T17:12:24Z
You've got a missing </pre> in there, I think.
[info]ghewgill
2005-11-10T17:14:30Z
Whoops, thanks.
[info]cetan
2005-11-10T17:26:30Z
Spam is starting to become overwhelming again.

For me, what's getting through more than fake rolex spam is penny stock spam. I've also found it is nearly impossible to train a mail program to block them.

I think the only answer is public executions of spammers and floggings for those than respond to spam.

[info]hoyhoy
2005-11-10T17:44:12Z
I'm getting tons of false positives recently. All of my email that's not whitelisted gets marked as Spam. Is Bayesian classification dead?
[info]ghewgill
2005-11-10T19:06:16Z
It may or may not be dead, but I think it's definitely caused the spammers to modify their tactics. A lot. Paul Graham was dead on when he predicted some of this in his "A Plan for Spam" article that introduced Bayesian content filtering.

What's next on the antispam front, I wonder?

Are there really that many people out there who want fake rolexes?
[info]cetan : you're on the cutting edge of trojans!
2005-11-10T19:02:26Z
http://it.slashdot.org/article.pl?sid=05/11/10/1615239&tid=172&tid=233

[info]ghewgill : Re: you're on the cutting edge of trojans!
2005-11-10T19:09:40Z
http://it.slashdot.org/comments.pl?sid=167899&threshold=0&commentsort=3&tid=172&tid=233&mode=thread&cid=14000277
[info]taral
2005-11-10T19:56:46Z
I'm going to try DSPAM, as soon as I can get past the configuration...
[info]taral
2005-11-10T20:00:02Z
hewgill.com TXT "v=spf1 exists:CL.%{i}.FR.%{s}.HE.%{h}.null.spf.hewgill.com mx -all"

Ew? What's the big exists: thing and why is it backwards?
[info]ghewgill
2005-11-10T20:05:01Z
What that does is cause SPF checkers to query my DNS server for a name related to the email it received. I get in my logs something like this:

cl.210.211.217.144.fr.stan@hewgill.com.he.hewgill.com.null.spf.hewgill.com

That gives me the sender's IP address (210.211.217.144), the claimed sender address (stan@hewgill.com), and the HELO name used (hewgill.com). My DNS server responds with "not exists" for anything like that, so the SPF query just uses the "mx" rule.

I set that up a long time ago and then hardly ever look at it now. :)
[info]taral
2005-11-11T04:51:03Z
Oh, cute. That explains the backwards bit.
[info]thomasj
2005-11-11T03:19:38Z
SPF is not antispam per-se, but prevents domain spoofing. You can still create a domain and flood someone with mail from many addresses from it. Or create and destroy many domains. It just makes spoofing someone from say, hotmail.com, much harder.

The mailserver my company produces uses an interesting anti-spam trick called Spam Repellant. The theory is that spammers need to send as many spam as possible to be profitable. Therefore, they will not wait as long for a response from the reciepent mailserver before giving up. Legitimate mailservers will wait for a reasonable length of time.

So we introduce an artifical delay between the opening of the connection and the SMTP server's greeting - up to 30 seconds. Anything that tries to send before the greeting, we drop. Spam mail senders usually won't wait more than 10-15 seconds, and drop themselves. So they're filtered, and legitimate mail allowed.

This works very nicely.
[info]dopplertx
2005-11-11T06:25:43Z
That's an interesting tactic. Someone with postfix mojo should come up with a similar solution :-)
(anonymous)
2005-11-17T13:39:23Z
You know, yahoo mail catches 99.9 percent of the spam I get. Maybe three a week get through to my inbox, and maybe one legit goes to the spam folder every couple of weeks. It's hard for me to justify using anything else.
Greg Hewgill <greg@hewgill.com>