Fighting Spam

Randy Appleton

Northern Michigan University

rappleto@nmu.edu

What is Spam

• Probably, it’s “unsolicited and unwanted commercial email sent in bulk”.

Sometimes It’s Not Spam

• You did sign up for it.

• You accidentally signed up for it.

• You still don’t want it.

How Is It Delivered?

• Anyone can fake email.• 80% of all spam came from bot-nets

– We helped • Open relays are mostly gone.• You can hire this done for you (see Google).

How Much Spam Is There?

• In absolute numbers

• 1978 - An e-mail spam is sent to 600 addresses.

• 1994 - First large-scale spam sent to 6000 bulletin boards, reaching millions of people.

• 2005 - (June) 30 billion per day

• 2006 - (June) 55 billion per day

How Much Spam Is There #2

• As a percentage of the total volume of e-mail

• MAAWG estimates that 80-85% of incoming mail is "abusive email", as of the last quarter of 2005. The sample size for the MAAWG's study was over 100 million mailboxes.

• More is coming!!!

Why They Spam

• Money

• Political causes.

• Money

• It’s fun

• Money

• Money

Sell You Something

• It’s just mass electronic marketing

• They give you a web site, you click over and buy the product.

• Email might even be targeted.

• weight loss.html

Does Selling By Email Work?

• Kodak settled a CAN SPAM suit with the FTC. Their Ofoto unit sent two million commercial messages that didn't comply with the CAN SPAM act. They didn't include a notice that it was an ad, opt-out info, and Kodak's postal address. They paid the FTC $26,000, the revenue they got.

Pure Fraud

“There is a sucker born every minute.”

• Send email to lots of people.

• Wait for sucker to respond.

• Convince them to give you money.

• Nigerian bank fraud

Identity Theft

• Send an email message.

• Direct them with a bad URL.

• Capture their info.

• Reject login and send them to the right site.

• Microsoft says to manually check every link.

Identity Theft #2

• An Example

• Who Did It.

Stock Manipulation

• Pick a small cap stock

• Buy some.

• Send spam telling people about the stock.

• Sell when price rises.

• stock-spam.txt

• spam-stock.jpg

• New York Times

Yes, Spam Works

• 5% response rate from sexual material.

• 0.02% response rate for drugs.

• 0.0075% response rate for Rolex Watches.

Avoiding Spam

• Don’t let them get your email address.– Don’t use AOL, etc.– Don’t put address on web page.– Don’t use mailing lists.

• Throw away email addresses.– Mailinator, spamgourmet, sneakermail

• Annoying …. but possible.

List Removal

• For a reputable company, you can always click “remove me from the list”.

• A disreputable company will merely take that to be confirmation you’re reading the email.

• It’s a calculated gamble.

Auto Detecting Spam

• Blacklist

• Whitelist

• Bayesian Analysis

• Other Analysis

• These are all things your email server does for you.

Blacklist

• A list of web sites from which you don’t take mail.

• Automatically interfaced to your email server.

• Spamhaus Block List– Zelots– Many choices.

Defeating Blacklists

• The spammers can switch ISPs.

• The spammers can use a botnet.

Whitelist

• There is no global whitelist; you make your own.

• Your own contact group is a good start.

• Add your institution.

• Add people to whom you have sent mail.

• Semiautomatic at best.

Bayesian Analysis

• Make two piles of mail: spam and ham.

• Find words or phrases that can be used to identify mail.

• Check all incoming mail for those phrases.

• Normally you get a starter database that can be customized.

Example Bayesian Analysis

• My friends don’t email me about Viagra.

• They do email me about Linux.

• The phrase “stupid freshmen” appears in email to me.

• The phrase “hot freshman” does not.

• Result is a score.

Fighting Back

• Don’t.

• The nasty email goes to an innocent.

• Or it confirms you exist.

• Or it bounces back to you.

Using

• Gmail filters.

• Gmail allows pop downloads.

• You can even forward the mail to Gmail to keep your old account name.

Summary