Small businesses getting shafted by spam
A week or so ago I spewed out an almost 20-page whinefest on my multi-front spam problems, and got all sorts of responses. Everything from suggestions to sympathies to the most common: people just getting hammered and asking if I had suggestions for what they should do.
The Register has a short but interesting article saying small businesses are actually getting hammered harder by the spam problem than larger:
Small businesses are more likely to be targeted by spam email than larger companies. According to Postini, an email security firm, businesses with 100 or less computer users get up to 10 times more spam than corporates employing over 10,000 workers.
It says that small businesses lacke the budget to invest in the latest anti-spam software. As spammers adoopt increasingly sophisticated ways of getting through company filters, small firms are more likely to be affected.
This unfortunately makes a lot of sense, yet throws me a little at the same time. On the one hand, it makes perfect sense that smaller businesses just wouldn't have the resources to have dedicated hardware sitting on their pipe waiting to eat through hundreds of thousands of messages.
On the other hand, they're saying that the small firms actually have more spam coming in, and the only way that seems to make sense is if, due to their lack of increased protections, small businesses have a habit of being verified as A-OK domains to deluge.
Chris Smith at Postini said: "What we're seeing is a profound increase in the sophistication and incidence of tactics designed to fool conventional anti-spam filters."
So I'm not crazy. About a year ago I had a passing conversation with a guy, who had a friend of a friend who worked in Russia... who was essentially doing analysis on spam filters, which he'd then sell to spammers through second parties. The idea was fairly straightforward:
He had a bank of $600 whiteboxed computers brought in from Russia, and would downloaded the newest open source filters and set them all up. Spamassassin, etc. For the commercial filters, well, you can walk down to a bazaar or computer shop and pick up basically anything you want for on a CD for $5. Initially this started out as taking various messages and feeding them through the system with variations to see what would had the highest chance of getting through.
As his... clientele... became more sophisticated in their needs, this started becoming a scarily serious project, where he'd sit down and 'build up' the filters before hitting them with tens of thousands of variations. He could then go to his customers with a list of messages with the highest chance of general success. Most of this I tuned out, as you just never really know how some of these get embellished.
Towards the end he was talking about how the guy was basically employing six other people to help him, and one of their large targets was the idea of specifically degrading ISP and corporate filters. The sheer economics of it made a lot of sense. Often times an ISP might be running something like Spamassassin, and anything that needs to be taught is going to be much more effective on an individual level.
I.E., not everyone gets the same types of messages or the same types of spam. If you train it globally, by all the messages that go through the ISP, it's just not going to be quiet as effective. You really need a dual-approach, where the system is able to watch things globally, but individuals are also feeding it their specific spams and hams. This might surprise you, but a lot of users just don't run spam filters at all on the client side.
They become too much of a hassle to deal with, and it's really a drag for grandma to sit there marking things as junk and unjunk. It often just gets turned off. Expecting them to forward the messages on to a spam-well the right way of the ISP, or even dragging their hams and spams to a specific IMAP folder so the ISP's software can do it's magic via CRON is just asking a bit much.
So, by and large, these things have a habit of acting globally more often than not, and more and more ISPs and web hosting providers offer spam protection. Hell, a lot of companies with an employee count of under 100 probably don't even do their own web hosting, but rather get it through a service.
Going back to the economics of it, the reason why the latter part of the guy's claims stuck in my head was his example of a larger ISP or web hosting provider who receives tens of thousands, hundreds of thousands, or even millions of emails each day all. All have to be filtered, and if you can degrade those filters by even a few percent before a large mailing, you would drastically increase the reach of your spam campaign.
Think about it: AOL, Yahoo, or even your DSL provider gets an incredible amount of email each day. I'm told AOL was, at least at one point, dealing with over 1 billion emails per day. I'm just using AOL as an example, but think about the fact that even if you decrease the effectiveness of their filters by 1% you are going to get a hell of a lot of spam through that otherwise wouldn't.
Again, AOL is just an example of a larger ISP, as one of the things the article mentions from the study is that one n three spams are sent by zombie networks, or basically hacked computers, and AOL basically doesn't allow email to come from anything sitting on a DSL connection anymore (this is assuming it's not a hacked form script or server being counted). However, AOL is just one fish in the pond, and there are tens of thousands of people out there who do web hosting.
This cycle of filtering and breaking the filters isn't something that really feels winnable long term anymore, not if email is going to be any type of medium we can actually rely on. When I end up getting 3,000 spam messages a day, no way am I going to be going through the junk folder to see if something important got in there.
And when the spammer is able to have a bonanza by degrading some filters by a few percent, the economics, as they currently stand, just don't work out in our favor and will only continue to degrade.
Posted by drunkenbatmanJanuary 31, 2005, at 06:39 AM
Comments (5)
Posted by: drunkenbatman at January 31, 2005 08:18 AM
Bummer about that. I do like it when people include emails, as sometimes I need to look them up for whatever reason, but feel free to protect it in some way.... IE, i {a.t] drunkenblog [dot here] com
Posted by: Edward at January 31, 2005 09:01 AM
It seems stupid that they make such attempts to get through filters. Surely the mere existance of a filter is evidence that the recipient is not interested in whatever they might happen to be selling.
There ought to be some sort of anti-circumvention law. With the DMCA it is illegal to break any kind of copy protection, no matter how simplistically it is implemented. eg. using ROT13.
I'd like for it to be illegal to circumvent my SPAM filter. If I filter the word "Viagra" I am giving a clear and definite indication that I am not interested in receiveing any mails pertaining to that product, and a Spammer should not attempt to circumvent my filter by using "V1gr@" or any other variations.
Why can't we have the laws work in our favour for once?
At the moment GMail seems to be working quite well for me, its filtered out 940 mails since Jan 25th and only a couple ended up in my inbox. I forward all the ones that pass the filter out to my normal IMAP account. I don't know what technique they are using, but with the volume of mail they must be getting by now, and the ease of tagging things as Spam or Ham their filters ought to end up being very effective.
Posted by: moo. at January 31, 2005 11:01 AM
I've done what DB describes, and as much as I disliked it, when you get pushed out of a job by know-nothing asshats and the bills are due, it's a quick buck and frankly, you're so disenfranchised you don't care. Besides, they were all newsgroup posters and it was my little way of getting back at them. :)
Oh yeah, my attitude sucks about it - but it pays /extremely/ well and it's much easier than you think... Content filters are infantile compared with natural language parsers, and for anyone that knows the state of those, you should know how easy they are to defeat. And a decent amount of variation defeats Bayes easily. This is called a "split", and a common marketing tactic, spam or not. (thanks to said company, as I worked on a newsletter tool with a former employee of a very famous mailer company and had plenty of good tips for my employers)
How to block most of this stuff? DB is on the right track, but is missing something very important - blacklists. DNSbl is a great solution to weeding out the idiots, especially considering how slow CRM and SA are. Postini has and always will be trash, heck, when I used it, it sent me more emails about the viruses and spam I got than... the actual spam I would have gotten, and I had to call some monkey to get it turned off on my account (IT locked it, yay).
So, DNSbl, content filtering, and then you'll want a bayesian-aware client. This is a great way to keep 99% of it out, and while my email address is posted all over the place, I get 1-2 spam emails a week. Thousands are filtered or blocked during transmission.
If you want to bitch about what I did - become unexpectedly broke for a few months and see if you'll do it if you have the knowledge, and you have mouths to feed.
I hope that "appears sane". :)
Posted by: drunkenbatman at January 31, 2005 11:31 AM
Naw, Moo, we're alright and thanks very much for the comment and I do get where you're coming from. I have the feeling that's a mutual thing between us.
I got spam via drunkenblog! My comment in the previous thread was the first and only time I used this freshly created sneakemail address. A few days later, I got an email to it asking me to call out Gouranga. Irony.