Some brief notes on spam

November 1st, 2011
  • It was probably a mistake to use a catchall account and make up addresses on the fly. Now I get spam on every address that is published! I may do something like the fellow at unstable.nl does and have a dedicated spam address that allows me to deduplicate those, but I haven't yet figured out how to do that in Claws Mail.
  • I think spammers may be avoiding honeypots by preferring email addresses that are very likely to be real -- such as those on Bugzilla sites.
  • I recently switched my hosting service for my brainonfire.net email address from Lavabit (horrible customer service) to Cotse (they seem like good folks), but I still receive spam at Lavabit! I think spammers are caching MX records. This could be used against them.

Proposal: Automatic verification of email address ownership

January 14th, 2008

Many sites require email verification to prevent impersonation by spammers (and to ensure that a user can retrieve their password, should they forget it.) Since this practice is a bit of a hassle for the user and does not require any thought on the user's part (sign into email, see registration email, click link), it should be automated. I've written a proposal of how to implement this.

Read full entry »

When torrents bite back

September 19th, 2007

Four days ago, a group calling itself the "MediaDefender-Defenders" released a torrent pointing to 700 megabytes of corporate emails from MediaDefender, a company providing "BitTorrent protection services" to record labels and movie studios. The emails expose company strategy, confidential contracts, passwords and login information, lists of servers and IP addresses, and reactions to mentions of the company in the news [read them here]. This post is a summary of recent events, along with a heaping of speculation as to what happened behind the scenes.

Read full entry »

Wanted: Spam trap extension for Mozilla Thunderbird

June 16th, 2006

I'd like to see someone write a spam-trap extension for Mozilla Thunderbird that would simply delete any messages that match messages from a spam-only account. I'd be willing to pay for such an extension.

Concept

I first saw this idea in use on unstable.nl. At the bottom of the page was this puzzling declaration:

spam-trap@unstable.nl - Please send spam.
Humans may write to andreas@unstable.nl

I presume that Andreas has programmed his mail client or retriever to delete from andreas@ any messages that are identical or similar to messages that appear on spam-trap@. I later contacted him on Jabber, and he validated my suspicions, adding that he only sees one piece of spam per week. I was impressed.

Specification

A Mozilla Thunderbird plugin could easily implement this concept. Have the user specify an address they don't use, but own, such as an outdated Hotmail account. Then delete any similar or identical messages that arrive on other accounts. Defining "similar" is the hard part, of course, but I have some ideas:

  • Compute a quick hash of each embedded attachment (otherwise may have disproportionate effect on filtering)
  • Use the diff function on textual areas
  • Strip query strings from URLs and embedded forms (query strings may have hashed copy of email address embedded)
  • Compare some email headers

Research

I don't know much about email headers or routing, so I don't know how same-session spam messages are similar or different. Research into this would be necessary. Perhaps public data on this already exists.

Problems

This technique of filtering may be circumvented if spammers start sending out messages with more randomization and scrambling. Additionally, if this filtering technique were to become popular, unforeseen loopholes would undoubtedly arise. In both cases, however, I am certain that spammers would be required to use more processing power, and therefore incur more cost to themselves.

Bounty

This is a cool enough idea to warrant a bounty, especially if research is required. I would be willing to pay $50 out of my own pocket for the first successful solution, and I'm sure others would be willing to contribute. Alternatively, if someone can find a fatal flaw in the idea before any serious work is done, I am willing to pay that person $5-10 dollars. (I might pay more if they devise a new specification that is not vulnerable to the same flaw.)

A "successful solution" is defined as open source/free software, cross-platform, reasonably non-buggy, and able to implement at least the core feature of the request (here, deletion of mail on one account upon receipt of a similar message in another.) A "fatal flaw" is defined as a reasonably easy concept or proof-of-concept which, if implemented, would defeat any reasonable solution.

Please, if you plan to implement this idea, leave a note here so that people are not duplicating efforts. If there is a change in status, I will notify every person who leaves a comment, unless they request otherwise. (Yeah, I know, opt-out emailing...)

Are you willing to pledge bounty money for an implementation? Leave a note here to motivate potential developers. (Your pledge isn't binding, even though mine is.)