Spammer tricks: unnatural acts with spam filters
- TAGS:amirseries_spamtricks, e-mail, email, enterprise, reputation, RPD, spam, spammer, spammers, URL
- IT TOPICS:Careers, Cybercrime & Hacking, Enterprise Apps, Government & Regulation, Internet, Security, Security Hardware & Software
This week's Security Levity is a follow-on from last week's. I want to talk about one more spammer trick: how they misuse spam filters, to try to get delivered to the inbox.
Spam filters are great. The best ones protect our inboxes from the vast majority of harmful, objectionable, or criminal email. They truly are our silent ally in the war against spam.
However, some spammers have learned to misuse spam filters for their own ends. I have first-hand intelligence confirming what many spam fighters have long-suspected -- smart spammers test their email content against spam filters.
Spammers download different spam filters and test their campaigns against them. They'll fine tune the text and format to maximize delivery to their victims' inboxes.
Usually, spammers target evaluation versions of commercial filters, and also open source filters -- mainly SpamAssassin. But they've even been known to pay for spam filter software (perhaps with a stolen credit card).
Based on these tests, spammers will sometimes send out several different versions of a campaign, each carefully tuned to penetrate a different anti-spam engine. That's a lot of work, but it can be worthwhile.
And it's not just inbound filters that spammers misuse. When spamming from stolen webmail accounts, or from certain ISPs, they test-send samples, to see if they make it through any outbound spam filters.
How do I know this? Because spammers have told me so, including one memorable guy who applied for a job at Commtouch. He turned out to be a "reformed" porn spammer; and although I didn't offer him a job, we certainly had an interesting and wide-ranging conversation!Â
The good news is that filters need not be fooled. There are several reasons why a spam filter might be immune to spammers testing their campaigns offline. Here are the two main reasons:
1) Sender reputation. Offline testing of spam filters doesn't usually take the reputation of the sending IP address or domain into account. In practice, that's too hard to test and introduces too many variables for a repeatable test.
2) Recurring pattern detection. A test message won't be blocked if it's not been part of a spam campaign before. But once a spammer begins sending the spam in bulk, the patterns will be detected and the spam gets quickly identified and blocked.
Â
When he's not analyzing spammers' tricks, Amir Lev is the CTO, President, and co-founder of Commtouch (NASDAQ:CTCH), an e-mail and Web defense technology provider. MORE...
Free Insider Guide