Jump to content

Tracking Codes used by Spammers


Mikey

Recommended Posts

There are several references now in places on SC and other places about spammers ability to track those who report them. Alas, it appears that I was NOT paranoid after all!

So my question is, how are they doing this? Someone must have some intel on this if they believe it is happening. These are my guesses. Again, perhaps I'm paranoid....

1. "Random" text at the end of subject lines

2. "Random" text at the end of the body, often after the /html tag

3. Recipient username or entire E-mail referenced in body (obviously)

4. "From" usernames that appear to be random (or joe-jobs) but aren't

5. X-mailer fields

6. "Random" text or English words within the body, often obscured by html tags

7. Message-Id fields

I have had people tell me that all the above items are only there to confuse content-checking spam filters, particularly simple client filters. However I don't think that is true. Certainly munged X-mailer fields will disguise the fact that they are using rat-ware to send the spam. Yet I don't think putting x56ffg on the end of a subject line is going to do anything to fool spamassassin or anything else.

As far as I know, nearly everything in the header (and obviously the body) is subject to tampering. So I know they COULD do it anywhere, I was just curious if someone knows for a fact, "This is how they are doing it...."

So what do you experts say?

Thanks.

Link to comment
Share on other sites

There is no consensus that I can see.

There are many ways that a spammer can try to identtify who reported them. Too many to try to find all but the most obvious ones.

Some of the codes may just be hashbusters to get around content filters.

Most of the spammers do not seem to waste time retaliating, there are enough reporters using spamcop.net now that they can not even target a small sample.

What can be more important to the spammer is identifying who is reading the spam.

If your e-mail client is HTML aware, and is allowed to open external links automatically to show pictures, it has at the minimum given the spammer your I.P. address, and the model of your web browser.

This tells the spammer that their spam is getting through to everyone on your I.P. range.

The web link could identify your e-mail address.

It could also identify the spammer to the web site. Some of them are paid by the number of "HITS" that their spam generates on the web site. Or at least think they will get paid by the person they bought the spamware from.

Again, realistically most will not bother looking at any feedback.

There is one stock pump and dump scammer that is using return receipts if you still have them enabled in your e-mail client.

Most of the time if the spammer can identify who reported them, they probably listwash from their own spam lists, but may provide the information to others.

Some spammers may send more spam to reporters to try to convince them that their efforts are futile.

But it really would take a mind-reader to know.

The only way that you will see a reduction in spam though is if your postmaster decides to stop accepting e-mail from I.P. addresses that are spam infested.

While the bl.spamcop.net blocking list may be too agressive to use for many people, many others have found it accurate enough to use to protect their mail servers.

But there is no reason that a mail server should be accepting e-mail from known open proxies, open relays, or domains known to be totally controlled by spammers.

-John

Personal Opinion Only

Link to comment
Share on other sites

  These are my guesses.  Again, perhaps I'm paranoid....

1.  "Random" text at the end of subject lines

2.  "Random" text at the end of the body, often after the /html tag

3. Recipient username or entire E-mail referenced in body (obviously)

4.  "From" usernames that appear to be random (or joe-jobs) but aren't

5.  X-mailer fields

6.  "Random" text or English words within the body, often obscured by html tags

7.  Message-Id fields

I am no expert, but I have received mail that references my e-mail ID in the body or partially in the "from" username. My first response was to stop reporting, when every-other mail was like this (I don't have much spare time in the evenings). Then I decided that the maxim "don't get mad, get even" applied, so the last one I received I carefully munged the forwarded message to remove references to my name.

To avoid the identifiable-picture-downloaded-in-preview, (for active eMail account, rather than spamcop reporter, identification) I now download my eMails using POP3. I then go off-line before checking the filtering has worked (with OE it is hard to maintain the rules and I am getting a large number of legit mails diverted to PornSpam folder, for no obvious reason).

In respect of the other methods of identifying reporters to spamcop, I had to ask myself "is it worth the risk?".

Even if I knew what they were using, it would take too long to check and munge each eMail reported. Perhaps it is the bit of British spirit in me, (that dates from before Agincourt, where the English archers raised two fingers to show they could still nock an arrow), but I'll be blowed if I'll let spammers ruin eMail for everyone - even if I have to take a small risk myself.

Link to comment
Share on other sites

To avoid the identifiable-picture-downloaded-in-preview, (for active eMail account, rather than spamcop reporter, identification) I now download my eMails using POP3. I then go off-line before checking the filtering has worked (with OE it is hard to maintain the rules and I am getting a large number of legit mails diverted to PornSpam folder, for no obvious reason).

Go through your Rules and ensure that each rule has the "Stop Processing" flag set.

Link to comment
Share on other sites

I am definitely getting lots more spam since starting reporting. I'm not sure how long I will have to keep it up before I get listwashed. I suspect Chinanet is selling CD's of email addresses with my address on it and has no concern whether I report or not, since the spam doesn't come from their IP addresses.

Link to comment
Share on other sites

Just had another thought. Sorry, it happens every now and then..... ;-)

All the English dictionary words I see in spam bodies now..... What's the chance that's there to fool Bayesian filters? Does it hurt to run these through something like sa-learn, K9 or another learning filter? Are the spammers eventually going to dilute the Bayesian statistics to the point that these filters won't work?

-Mikey.

Link to comment
Share on other sites

What's the chance that's there to fool Bayesian

Why else? Surely not to help drive home the sale pitchon whatever they're pushing that day?

run these through something like sa-learn, K9 or another learning filter

Am thinking that answers to this set of scenarios might be found over in support forums for those products. Going with that each of these would be used as a "personal" filtering tool, I'd suggest that the end result would be based on how many ggod vice bad e-mails that were used for "training" ... train with 1,000 spams but only 3 good e-mails, you're probably screwed ...???

spammers eventually going to dilute the Bayesian statistics

That's already the intent, in fact some would say they've suceeded, but I'll just say .. re-read the above ...

Link to comment
Share on other sites

Here's an example of how they can track as well. My address was inserted into the reply path, the return path, as well as the standard unsub link. Brought to you by your buddies at OptInRealBig.spam:

Return-Path: <b.esale2.0-2f149d1-321d.<My e-mail address was inserted here>[at]d1.tekmailer.com>

Received: from [69.6.6.49] (HELO d1.tekmailer.com)

by <X> (CommuniGate Pro SMTP 4.1.8)

with ESMTP id 35667981 for <X>; Sat, 21 Feb 2004 10:21:22 -0600

Received: (from daemon[at]localhost)

by d1.tekmailer.com (8.8.8/8.8.8) id IAA34905;

Sat, 21 Feb 2004 08:46:22 -0500 (EST)

Date: Sat, 21 Feb 2004 11:25:47 -0500 (EST)

Message-Id: <200402211346.IAA34905[at]d1.tekmailer.com>

From: Pet Stuff <esale2[at]d1.tekmailer.com>

To: <X>

Subject: Coupon for pet needs. Order online.

MIME-Version: 1.0

Content-Type: text/html; charset="iso-8859-1"

and at the bottom of the spam:

<DIV>

<FONT FACE="helvetica,arial" SIZE="-1" COLOR="#000000">

To unsubscribe from this mailing list: <A HREF="http://d1.tekmailer.com/delete?l=esale2.0-2fd1-31d&e=.<My e-mail address was inserted here>">click here</A><BR>

or send a blank message to: <A HREF="mailto:r.esale2.0-2fd1-3d..<My e-mail address was inserted here>[at]d1.tekmailer.com?subject=remove">r.esale2.0-2fd1-31d..<My e-mail address was inserted here>[at]d1.tekmailer.com</A><BR>

</FONT>

</DIV><BR>

<div align="center">

<font face="helvetica,arial" size="-1" color="#000000">

Optinrealbig.com LLC<br>

1333 W 120th Ave. Suite 101<br>

Westminster, Colorado 80234<br>

USA<br>

</font>

</div>

Link to comment
Share on other sites

Can Bayesian filters be set to ignore text in white type?

Doubtful, as the conecpt is to just perform analysis on text ... color or font has no bearing on this calculation (or at least shouldn't ..)

if they had to make the extra words readable

As I don't handle HTML e-mails by rendering the HTML, I can tell you that I do see all that text. Perhaps a configuration change in your set-up would be useful?

Link to comment
Share on other sites

AlphaCentauri, will agree to all that you said in this last .... but the specific (?) question I tried to answer generically could really only be answered by going to whatever filtering app that the OP was asking about ... thus my "doubtful" in the beginning .... but I surely didn't rule out the possibility ...

Link to comment
Share on other sites

What's the chance that's there to fool Bayesian filters?

Ok ... now I am going to ask a dumb-newbie question.

What is a Bayesian filter? (Yes, I know I could do a web search on it, but if I don't know then I suspect that a lot of newbies reading this forum also do not know what it means either, so a short post or link may help them too!)

Secondly, is it specifically for people who use spamcop mail?

Link to comment
Share on other sites

What is a Bayesian filter?

as found from the web, noting the optimistic viewpoint;

Bayesian spam filters calculate the probability of a message being spam based on its contents. They learn from spam and from good mail, resulting in a very robust and efficient anti-spam approach that returns hardly any false positives.

is it specifically for people who use spamcop mail

no .... there's a large number of freeware, shareware, and expensive applications that provide the technical resources to pull in this filtering process. and yes, this is one of those best left to doing your own research, based on the various levels of knowledge and expertise required of the user, and cost of these different products ... some just plug in, some need a massage of the whole system to get it all to talk together ... and the training modes differ, some offering up pre-packaged modules / rules, others starting off totally blank so it can be trained with "your" particular collection of spam/ham.

Link to comment
Share on other sites

A bayesian filter gives a score to the words / tokens in a message, and then detemines spam/ham from that score.

As WazoO said, a content filter.

Spammers are trying to poison bayesian filters and content filters by adding either lots of dictionary words, or paragraphs from books or what looks like a normail e-mail.

As content filters go, a bayesian filter seems currently one of the better tactics.

However, a bayesian like all content filters becomes less effective as the number of users that use a common content filter increases.

Either the content filter will start to leak more spam, or it will start to flag/reject more real e-mail.

A better approach is to use DNSbls to first screen out known spam sources, and then the content filter on the remainder of the suspicious mail to tag it. If it is spam, then to submit the I.P. address for testing to get it in the proper DNSbl.

A content filter for an ISP will only stop the dumbest of the dumb spammers. An ISP that relies on content filtering as their first defense, likely only has it so that they can pretend that they are trying to block spam and advertise it as a feature.

Accepting all e-mail and then content filtering it a few ago, instead of using DNSbls, more than doubled the cash operational costs of the mail server a few years ago. Now it is raising the costs even higher. That cost is passed on to the end users one way or another.

From all the sources that I get mail from, I see more spam leakage and complaints of lost mail from the mail servers that primarily rely on content filters.

I see almost no complaints of rejected real e-mails from my postmasters that use DNSbls as the primary spam blocks, and then only when the postmasters are using extremely agressive DNSbls, ones more aggressive then spamcop.net.

The reason for that is that it is very rare for a well run mail server to ever end up on a DNSbl, and such problems are fixed real fast because they are visible.

When an ISP's content filter decides something is spam, it is usually silently deleted, neither the sender or the receiver is usually notified.

When a user's content fitler mis-classifies a real mail, their is a risk that it will be deleted by mistake by the user.

If you have no spam filtering at all, there is a risk that you will either have real e-mail delayed or lost because you are over quota, or you will accidently delete a real mail in the middle of the spew.

With pure content filtering there is a higher risk that the mail server will become too overloaded to deal with incoming mail, and can even cut off all users from reading their mail off of that server.

With a DNSbl based rejection, the sender gets notified that there is a problem, and can contact you by another means, like a secondary e-mail account, the phone, and the problem gets fixed, one way or another.

Some mail servers can do a content check and then reject what is classified as spam. The main problem with that is that when a message is misclassified as spam, while the sender gets notified, they will not be able to mail that message from any source to you.

In e-mail management, trying to be heroic and find valid mails by content just is not cost effective, and is really assisting the spammers.

-John

Personal Opinion Only

Link to comment
Share on other sites

A better approach is to use DNSbls to first screen out known spam sources, and then the content filter on the remainder of the suspicious mail to tag it.  If it is spam, then to submit the I.P.  address for testing to get it in the proper DNSbl.

To perhaps save you from another Google effort ;-) What WB8 is talking about is a process that normally occurs in your mail server NOT in your mail client.

Without stepping on too many technical toes here.... DNS is the process (or application) of converting between doman names and the dotted IP address. A DNSbl (black list) is a list of these dotted IP addresses used by known spammers. Your mail server checks against these collected addresses before it even completes a SMTP (mail) connection from a remote server. If the address is on the list, the server rejects the mail before it is put into your mail box.

Why doesn't everyone use these lists? If you can't tell from some of the posts in this forum, some times the wrong people get onto these lists. I won't go further on that topic, there are volumes that could be said about that.

So your ISP has too choices. (1) Use the blacklists and deal with the rare, occasional hot-head who gets his mail blocked. Or (2) not use the blacklists and let, literally, every piece of spam into the system where it has to be dealt with by server-side content filters or you get to deal with it by using your own client-side filters.

(Hey WB8TYW, 73 OM!)

Link to comment
Share on other sites

As John Malmberg would write:

Some people think they are hash busters that are changed with each

mailing to confuse content filters. Others think that they may be

encoded identifiers to identify and retaliate or listwash spam reporters.

But this esteemed publication has uncovered the truth:

http://www.theregister.co.uk/content/28/34840.html

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...