Jump to content

Scam spam's weak link


Recommended Posts

I found this a puzzling article, rather sloppily written. Don't know whether the same can be said for Voelker & Savage's original work, but let's hope not.

For one thing, the folks at eurekalert seem to have developed the opposite of address munging: instead of disguising anything that looks like an e-mail address by turning "[at]" to "at", they actually change all instances of "at" to "[at]". Woe be unto anyone who decides to munge their e-mail in such articles.

For another, the profs at UCSD are getting a mighty lot of credit for "inventing" things like spam traps (which I guess is what "spamscatter" means). Assuming that they mean DNSBL by "blacklisting" in the quote Farelf posted above, then I appreciate these learned men putting their stamp of approval on the use of this technique, which has actually been blocking carloads of spam for many thousands of users for many years.

The "image shingling" stuff is interesting, but I don't understand how analyzing images on websies could lead you to conclude that 94% of spam pitches are hosted on a single server (whatever that means). Seems to me you could do much the same looking at HTTP headers with curl -i.

Also, the article lumps together "scams" (phishing, "network marketing," etc.) with "spam" (drugs, porn, etc.), and even but I think that the network mechanisms behind the two would be somewhat different.

I have downloaded Voelker's paper (PDF at http://www.cs.ucsd.edu/~voelker/pubs/spams...-security07.pdf and will try to give it a read as I have time. I note that he has another paper describing a spam-blocking protocol he calls "Occam" -- a quick scan of this paper indicates that the Occam protocol would allow a receiving server to ask the apparent sending domain if it really did send the message -- D'OH! (:head smack:) why didn't I think of that?

(added in edit) Also strikes me that "Occam" might be an inapt name, since with DKIM and SPF one might contend that Yet Another Sender Domain Verification Protocol would be a "needless multiplication of entities." Just my early impression, though.

-- rick

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...