three years of spam mutation l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Three years of spam mutation PowerPoint Presentation
Download Presentation
Three years of spam mutation

Loading in 2 Seconds...

play fullscreen
1 / 38

Three years of spam mutation - PowerPoint PPT Presentation


  • 276 Views
  • Uploaded on

Anti-spammer response: follow redirector. Spammer response: use Geocities with complex ... the hypothesis that people are better at spam filtering than machines ...

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Three years of spam mutation' - Kelvin_Ajay


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
three years of spam mutation

Three years of spam mutation

John Graham-Cumming

Independent Consultant

France

who am i
Who am I?
  • Author of POPFile
    • Created in August 2002
    • Machine sorting of email spam, ham, you-name-it
    • Jolt Productivity Award in 2005
  • Founding speaker at MIT Spam Conference
    • 2003: “The Spammers’ Compendium”
    • 2004: “How to beat an adaptive spam filter”
    • 2005: “People and Spam”
  • Frequent speaker, writer, coder on anti-spam
why spam
Why spam?
  • Spam found me
  • Started investigating machine classification of email in 2000
    • All my email has been sorted automatically for the last 6 years
  • Spam presents a problem: it changes
    • Spammers are adversarial
    • They react (very fast: hours to days) to changes in spam filtering technology
are spammers stupid
Are spammers stupid?
  • I don’t think so
  • And I hope to convince you in this talk
  • Spammers innovate constantly
    • The products they sell
    • How they send the spam (fixed IPs, broken web forms, open proxies, zombie networks, …)
    • The content of their messages
  • This talk focuses on the content of spam messages
once upon a time
Once upon a time…
  • It was fairly easy to filter spam
    • It came from fixed IP addresses: use a blacklist
    • The From address was not forged: easy to filter
    • The spam contained keywords that could be blacklisted
      • penis, viagra, etc.
  • Simplistic filtering on From and content is now useless (has been for a few years)
  • Only complex algorithms can filter on spam content
    • Hashing, weighted heuristics, ‘Bayes’, …
in 2003 popfile worked great
In 2003 POPFile worked great…
  • … except for spam
  • Because spammers were trying to avoid filters by all sorts of trickery
  • Some tricks you are familiar with…
    • VIAGRA has become V1@GRA
    • PENIS has become PE.NIS
    • ENLARGER is written ENARELGR
  • Most others are hidden from the reader
the spammers compendium
The Spammers’ Compendium
  • www.jgc.org/tsc
  • Informal collection of spammer tricks
    • All about content of spam, not how it’s sent
    • Been collecting since 2003
    • Now a total of 55 tricks
    • All have been seen in the wild
    • All have humorous(*) names
  • (*) OK, I thought they were funny :-)
fun facts
Fun facts
  • 80% of spam uses HTML
    • Colors, images, fonts…
    • … and tricks
  • 80% of spam uses at least one content trick
    • Invisible Ink, Camouflage, …
  • Spam and spam filters are in an arms race
  • Irony: Spammer tricks often make spam easier to filter
    • Who spells Viagra V1@GGR@?
the spam zeitgeist 1
The Spam Zeitgeist (1)
  • Spammers realize that spam filters spot their tricks, so they are trying…
    • Short plain text emails with a URL
    • Anti-spammer response: URL blacklist
    • Spammer response: use redirector
    • Anti-spammer response: follow redirector
    • Spammer response: use Geocities with complex page that reloads using encoded Javascript
the spam zeitgeist 2
The Spam Zeitgeist (2)
  • Spammers realize that spam filters read their mail…
    • Spammer response: send an image instead of text
    • Anti-spammer response: checksum the images
    • Spammer response: make random modification of image and number of images
    • Anti-spammer response: perform OCR on images
    • Spammer response: add random noise to images
example hypertextus interruptus
Example: Hypertextus Interruptus
  • A once popular trick that has fallen out of favor
    • Use HTML's commenting mechanism to break up bad words
    • HTML comments are written <!-- comment --> and the entire sequence is ignored and not displayed.
    • Easy to break up a word like Viagra:V<!-- banana -->i<!-- wumpus -->a<!-- dinosaur -->g<!-- potato -->r<!-- amtrak -->a
example invisible ink 1
Example: Invisible Ink (1)
  • Hide lots of good words using white font on a white background
  • Before:Buy Viagra Now!Please see the attached spread sheet for our current sales forecast
example invisible ink 114
Example: Invisible Ink (1)
  • Use HTML <font color=xyz> tag to make the good words disappear
  • After:Buy Viagra Now!Please see the attached spread sheet for our current sales forecast

<font color=white> … </font>

example camouflage 1
Example: Camouflage (1)
  • Like Invisible Ink but use slightly different colors (almost white on white)
  • Before:Buy Viagra Now!Please see the attached spread sheet for our current sales forecast
example camouflage 2
Example: Camouflage (2)
  • Like Invisible Ink but use slightly different colors (almost white on white)
  • Add a colored background:Buy Viagra Now!Please see the attached spread sheet for our current sales forecast

<body bgcolor=#CC9900> … </body>

example camouflage 3
Example: Camouflage (3)
  • Like Invisible Ink but use slightly different colors (almost white on white)
  • Finally, color the text almost the same:Buy Viagra Now!Please see the attached spread sheet for our current sales forecast

<font color=#BB8811> … </font>

example the matrix
Example: The Matrix
  • Prevent spam filter from reading the text in a spam by writing it verticallyBuyGenericViagraCheap
example the matrix19
Example: The Matrix
  • Prevent spam filter from reading the text in a spam by writing it verticallyB G V Cu e i hy n a e e g a r r p i a c
example catch a wave 1
Example: Catch a Wave (1)
  • Split a sentence into two lines and then put them back together again
  • Start with:Increase your sexual desire
example catch a wave 2
Example: Catch a Wave (2)
  • Split a sentence into two lines and then put them back together again
  • Make two linesInc se yo se al des rea ur xu ire

<tr align=bottom><td></td><td>rea</td> … <td>ire</td></tr>

example catch a wave 3
Example: Catch a Wave (3)
  • Split a sentence into two lines and then put them back together again
  • Back together again:Increase your sexual desire

<tr align=bottom><td rowspan=2>Inc</td><td></td> … <td></td></tr>

example the rake 1
Example: The Rake (1)
  • Break up a word with random letters, then move the letters out of the way
  • Start with:Viagra
example the rake 2
Example: The Rake (2)
  • Break up a word with random letters, then move the letters out of the way
  • Sprinkle in some random letters:Vxifatgyrka
example the rake 3
Example: The Rake (3)
  • Break up a word with random letters, then move the letters out of the way
  • Mark each letter to be moved out of the way:Vxifatgyrka

<span style=“float:right”>x</float>

example the rake 4
Example: The Rake (4)
  • Break up a word with random letters, then move the letters out of the way
  • The end result:Viagra xftyk
example whiter shade of pale 1
Example: Whiter shade of pale (1)
  • Concatenate words using random greyed out letters
  • Start with:Offshore pharmacy online now
example whiter shade of pale 2
Example: Whiter shade of pale (2)
  • Concatenate words using random greyed out letters
  • Add random letters between words:OffshoreGpharmacyUonlineInow
example whiter shade of pale 229
Example: Whiter shade of pale (2)
  • Concatenate words using random greyed out letters
  • Grey or white out the letters:OffshoreGpharmacyUonlineInow

<font color=lightgrey>G</font>

image spam
Image Spam
  • Spammers currently like image spam because…
    • Text based filters are getting really good
      • Hard to read the text in an image
    • URL blacklists are catching a lot of spam
      • Recipient is usually asked to type in a URL in the image
      • Hard to automatically extract that URL for blacklisting
    • An image is hard for a machine to interpret
      • Lots of latitude for obscuring the image
will it end
Will it end?
  • No
  • People buy from spam
    • Pew Internet Trust 2003 Survey: 7%
    • My 2004 Survey: 1%
    • But a 0.001% response rate is break even
  • End users are seeing less and less spam
    • Spam has moved from an end-user problem to a sysadmin problem
resources
Resources
  • www.jgc.org
    • All my writing on spam (and other topics)
    • Subscribe to my newsletter
    • The Spammers’ Compendium
    • Anti-spam Tool League Table
  • www.extravalent.com
    • My commercial web site (polymail)
    • Need an anti-spam OEM engine?
    • Now you know who to ask…
fun stuff spamorham org
Fun Stuff: SpamOrHam.org
  • Testing the hypothesis that people are better at spam filtering than machines
    • Bill Yerazunis: 99.84%
    • My 2004 Survey: 99.46%
  • Read randomly selected spam or Enron emails and click Spam, Ham or I’m not sure
  • www.spamorham.org
  • You could even win an ‘enlarger’!
thank you
Thank you
  • Thank you for listening
  • Questions?