Date: Tue, 15 Jun 2004 21:42:47 -0400 (EDT) From: "Keith F. Lynch" <kfl at KeithLynch.net> To: WSFA members <WSFAlist at WSFA.org> Subject: [WSFA] Re: Spam Observation Reply-To: WSFA members <WSFAlist at WSFA.org> Barry Newton wrote: > A while back, I was complaining about a sudden jump in the amount > of spam I received--it's gotten to about 2500 a day, and growing. ... > Made the breakthrough discovery tonight: almost none of those emails > were addressed to "bnewton." They were almost all made-up names at > my domain. ... > I am now hypothesizing that some purveyor of mailing lists has found > it easier to generate listings rather than harvest them--a new low > in screwing the customer. ... This isn't new. Spammers started doing so called "dictionary attacks" about six years ago. It's called this in an analogy with the older trick of trying to break into a computer account by automatically trying every word in the dictionary as a password. Typically the dictionary-attacking spammer combines the several hundred most common first names (together with all possible initials), with the several hundred most common last names (together with all possible initials), and prepends each of these in turn to the same domain name. Fortunately for us, they usually choose aol.com, msn.com, or earthlink.net as the targeted domain name, rather than ashcomp.com, keithlynch.net, or wsfa.org. I get hit by such an attack a couple times a month. My filters block it, of course, but the filter's log files -- three short lines per attempt -- have occasionally used up my entire 75 meg allocation, after which all legitimate email was lost. I don't know if anyone is deliberately selling spammers lists of randomly generated email addresses. I do know that for several years, numerous people including me have been placing vast numbers of bogus email addresses on web pages with the intention of causing spammers to waste time and effort harvesting them and sending to them. Unfortunately, the immense amount of computer power and bandwidth that are inexpensively available, and the even more utterly immense amounts of both which are available on poorly secured machines which can easily be hijacked remotely, means that it's not unusual for a spammer to be able to send several *billion* messages each day. This means it doesn't really help that probably over 99% of them go to bogus addresses, any more than it's any consolation to someone allergic to cicadas that the vast majority of cicadas are hundreds of miles away from them. It's an arms race between filters and spammers' attempts to evade filters. Since spammers have sheer numbers on their side, they are winning. Filters which block 99% of all spams are completely useless. Filters which block 99.9% of all spams are still marginally useful, but will soon be useless. Notice that to evade filters, most spams contain several lines of randomly generated text, different for each recipient. I've seen little discussion of the enormous numbers involved. It's pretty much certain that by now the majority of all text which has ever been written consists of randomly generated text in spams. And that the majority of crimes that have ever been committed consist of spamming. And, quite possibly, that the majority of damage ever done by non-violent crime consists of damage done by spamming. I believe that the current "dot bomb" tech doldrums have more to do with spam than with 9/11 or oil prices. Vast amounts of IT talent has been reallocated toward fighting spam, slowing down the rate of progress, innovation, and investment. As of this year, there's a new federal law involving spam. It's so weak that it mostly acts to explicitly *legalize* most spam which had previously been illegal under various state laws and under the common law. Am I really expected to file several tens of thousands of crime reports every day? And if I somehow did, would the FBI or anyone else really attempt to prosecute the crooks? And if they did, would they get the right guys, given that the government is notorious for prosecuting the innocent, and that spammers almost invariably forge their return addresses? The vast majority of emails which have gone out with my name on them were sent by spammers forging my email address. In fact I've even had to blacklist *myself*! That's right, I have several thousand people on my email whitelist (i.e. email from them will be accepted at any email address which reaches me), but my own name and address isn't on it! I doubt email will still exist in two years. But as long as it does, I'll keep this list going. This list has never been successfully spammed, since: * The list address has never appeared on any public web page, newsgroup posting, or anywhere else spammers could harvest it. * Any email to the list from someone who isn't a past or present WSFA member is automatically rejected. * Any email which is too long is automatically rejected. * Any email to the list from a WSFA member in HTML, or with an attachment, is sent to me, not to the list. (Most spams are in HTML or have attachments.) Ted White wrote: > 2500 spam a day, eh? That's about a hundred times the number I get > per day. Is that before or after filtering? Before filtering, I currently average about 50,000 per day. With much higher spikes during dictionary attacks. Those of you who were at the Fifth Friday party at my place in January saw my filter logs in real time. Every two or three seconds a spam would be rejected. Like a bug zapper in a swamp. Spam volume has nearly doubled since then. I've since given up on filtering, and switched to a combination of whitelisting and disposable email addresses. I also accept all email with certain key words on the subject line. Nevertheless, the majority of emails which get through are *still* spams. Some because they happen to forge the name or address of someone on my whitelist. Some because they've already harvested the disposable address (the record is 19 minutes). Some because the subject line happens to contain one of the key words. Barry Newton wrote: > I wasn't thrilled. But that's still only a fraction of what Keith > seems to be dealing with. I was seriously considering abandoning > my email address of some 10 years. Mr. Lynch must have some > masochistic tendencies. I've relied heavily on email for thirty years. (That's right, I started using it in 1974.) I'm about as willing to give it up as most Americans are willing to give up electricity and indoor plumbing. If it's any consolation, Seth Breidbart, who is well known in both fannish and anti-spam circles, believes that the good guys are winning. All I can say is I don't see any evidence of this. -- Keith F. Lynch - http://keithlynch.net/ Please see http://keithlynch.net/email.html before emailing me.