FC: More on annoying type of s...p...a...m... isn't new after all

[Declan McCullagh <declan () well com>]

[This is a good time to thank Chip Rosenthal, a list subscriber and savvy 
sysadmin who spent a good part of his day on Jan. 20 helping me to stave 
off a flood of incoming spam-mail tying up the Politech server. Two other 
folks helped too (you know who you are) -- thank you! As for the previous 
message, I received a lot of replies -- here's a selection. Note one 
warning that if I forward newsworthy spam to Politech, I may get tagged as 
a spammer. This is a job for whitelists... --Declan]

---

Date: Tue, 04 Feb 2003 17:53:37 -0500
From: Christopher Fortin <c.fortin () verizon net>
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3a) Gecko/20021212
To: declan () well com
Subject: Re: FC: A really annoying new type of s...p...a...m...

Declan McCullagh wrote:
> I hand't seen this before -- a spam apparently designed to get around
> word filters.  Ugh.

Not around Spam Assassin ...

X-Spam-Score:  7.4 (*******) 
GAPPY_SUBJECT,DOUBLE_CAPSWORD,GAPPY_TEXT,CASHCASHCASH,PORN_10,PORN_4,PORN_3

BTW, great list.


--
Christopher Fortin, Ph.D. EE, Senior_Scientist@BBN <parared () elderhome org>
"I am not a friend to a very energetic government. It is always oppressive."
         Thomas Jefferson

---


Date: Tue, 4 Feb 2003 16:19:51 -0600
To: Declan McCullagh <declan () well com>
Subject: Re: FC: A really annoying new type of s...p...a...m...
In-Reply-To: <5.1.1.6.0.20030204165029.01f46400 () mail well com>
From: Brian McGroarty <brian () mcgroarty net>

> I hand't seen this before -- a spam apparently designed to get around
> word filters.  Ugh.

If you quote and resend spam, you end up adding weight to your name
and the mailing list headers in people's adaptive spam filters. You're
increasing the likelihood of a false positive on your name (and the
mailing list) in the future.

---

Date: Tue, 4 Feb 2003 14:15:46 -0800
From: Eric Murray <ericm () lne com>
To: Declan McCullagh <declan () well com>
Subject: Re: FC: A really annoying new type of s...p...a...m...

On Tue, Feb 04, 2003 at 04:51:39PM -0500, Declan McCullagh wrote:

[deleted]

I've seen lots of that.

Ever better is the spam with HTML comments between word
fragments, i.e.


"Ma<!--Mary had-->jor New<!--a little-->slet<!--lamb-->ter Ann<!--its 
fleece-->ouncem<!--was white-->ents and Huge New<!--as snow-->sletter"


It's not hard to make a spam word recognizer ignore the virtual
whitespace (and use it as a spam-recognition key in itself).


Eric

---

Date: Tue, 04 Feb 2003 14:09:01 -0800
From: Jamie Zawinski <jwz () jwz org>
To: declan () well com
Subject: Re: FC: A really annoying new type of s...p...a...m...

Kaimi Wenger wrote:
>
> I hand't seen this before -- a spam apparently designed to get around
> word filters.  Ugh.

I've been seeing those for a while now.  Yesterday I got some
consecutive spams that contained exceptionally "creative" spellings...

Proof that spammers dig unix:

        S1uts forced to fsck by Drunk Men
        Gir1s rapied by Drunk Men

Yo, bum rush the spam:

        Gang rappists force to seks Maids from California
        Salacious criminals de-flower Babbes from North Carolina

---

Date: Tue, 04 Feb 2003 21:04:07 -0500
From: Tom Maguire <tmi () idt net>
Reply-To: tmi () idt net
To: declan () well com
Subject: (SPAM?) Re: FC: A really annoying new type of s...p...a...m...
References: <5.1.1.6.0.20030204165029.01f46400 () mail well com>


Dear Declan,

http://www.mailwasher.net/

I may have sent you this link before. This "donation requested" program allows
you to preview and bounce email BEFORE you remove it from the server. This 
often
results in your being culled from the offending email list.

It can auto bounce according to spamcop and other services or override their
listing with it's own friend/blacklist database. I have been using it for about
six months and like it very much.

Tom Maguire
TMI Engineering

---

Date: Tue, 4 Feb 2003 06:48:03 -0800 (PST)
From: alan <alan () clueserver org>
To: Declan McCullagh <declan () well com>
Subject: Re: FC: A really annoying new type of s...p...a...m...


If you think it is bad now, just wait until the spammers discover "e133t
Sp33k".  (Which was created by hackerlets to get past BBS content
filters.)

---

Date: Tue, 4 Feb 2003 17:09:59 -0500 (EST)
From: "Matthew G. Saroff" <msaroff () fellspt charm net>
Reply-To: "Matthew G. Saroff" <msaroff () pobox com>
To: Declan McCullagh <declan () well com>
cc: politech () politechbot com
Subject: Re: FC: A really annoying new type of s...p...a...m...

        Not that I'd do it, but I think that there might be a developing
market for a person who is hired to track down the physical location of
spammers, and take a sledge hammer to their computers.
--
  Matthew G. Saroff
Navicula hydraulica plena anguilarum est.

---

Date: Tue, 4 Feb 2003 14:27:13 -0800
From: Brad Templeton <brad () templetons com>
To: Declan McCullagh <declan () well com>
Subject: Re: FC: A really annoying new type of s...p...a...m...
Message-ID: <20030204222713.GK1279 () main templetons com>


Nothing new, actually.   Been extremely common for many years, I am
amazed you could have missed it!

Spammers will find ways around laws and word filters.  I think the
only option is to go after the actual cause of spam, not symptoms.
The root issue is that it is sent in bulk.

    http://www.templetons.com/brad/spume/endspam.html


---

To: <declan () well com>
Subject: Re: A really annoying new type of s...p...a...m...
Date: Tue, 4 Feb 2003 15:29:40 -0700
Organization: MailSoap, Inc.
From: Kevin Zollinger <kevin-dated-1044832691.c9137b () mailsoap com>

> From: Kaimi Wenger <kaimipono () earthlink com>
>
> I hand't seen this before -- a spam apparently designed to get around
> word filters.  Ugh.
>

Declan,

This is nothing new and is actually less sophisticated than others that I
have seen. Some of the better educated spammers are sending invalid html
keywords as part of their spiel to avoid filters so "make money fast"
becomes "ma<hhg>ke mon</hhg>ey fa<jasjsad>st!" to avoid the filter. Even so,
either method will still get caught by a challenge-response system (like
TMDA, which we use) or a self education system such as one of the many
"bayes"ian schemes around. The advantage with the bayes scheme is that
attempting to mask the spam by using either the odd punctuation or scrambled
html will *help* to identify the email as spam. When was the last time that
a legitimate email had either of those features? The problem with the bayes
scheme is first that because it learns from your input you'll have to see
the first email for each variant of this to identify it as spam. The second
problem is that a really smart spammer (if there are any such) could easily
generate random but invalid html tags to insert in random locations. Unless
the bayes software was crafted well each spam such generated would require
human identification. The problem only with TMDA and its clones is there is
a barrier placed before a users inbox, meaning that only people who can read
and follow instructions can get into my inbox.

--
kevin zollinger
kevin () mailsoap com
Co-Founder - MailSoap.com - The home of spam-free email!




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
Recent CNET News.com articles: http://news.search.com/search?q=declan
-------------------------------------------------------------------------