Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re: Most of the email spam I get is:

by jonadab (Parson)
on Dec 31, 2004 at 14:14 UTC ( [id://418538]=note: print w/replies, xml ) Need Help??


in reply to Most of the email spam I get is:

Let's see...

  • Character sets I can't read count as undeciperable, right? 306MB and counting. 166MB of that is GB2312 alone. (This is since August 27, 2002.) The various ks_c_ charsets between them account for another 60MB.
  • Stuff either doesn't specify what charset it's in or that's theoretically in character sets I can potentially read (mainly, UTF8, which I unfortunately can't filter because some people in the open-source community write English messages in it in preference to ASCII or Latin-1, for no discernible reason), but the subject line contains either long strings of non-alphanumeric characters, or nothing but alphanumeric characters, probably also counts as undecipherable. Another 141MB. A handful of these have long strings of punctuation in the subject, but most of them are Unicode messages written in a non-Latin writing system. 141MB since September 2003 when I wrote the rule.
  • That virus from a while back, "See the attached file for details", 235MB.
  • Assorted miscellany my filters didn't catch, 166MB (between 2004 April 23 and December 6; I start a new bin for this periodically so I can calculate the impact per-day and see how much it's increasing).
  • I did get one CPAN bug report once... for some reason I filed that under nnml:perl.* rather than under nnml:spam.*, go figure.

The unfiltered stuff (which lands in my inbox and gets shifted manually) is what annoys me most, and I'm continually looking for ways to reduce it, without getting false positives. (My experiments with Bayesian filtering were a wash; after training ifile on my entire very large corpus of mail, I found that I had to continually go through the whole spam bin for false positives. With the system I use now, I don't go through the filtered ones, only the unfiltered ones that land in my inbox.)

Some of the kinds of spam that land in my inbox include the following:

  • Messages with an enigmatic or vague subject line (that looks like a Markov chain or random dictionary words) and no content -- absolutely nothing in the body at all, no HTML part, no attachment, no nothing. I seem to get a fair amount of this, and I'm confused as to what possible reason the spammers could have for sending it.
  • 419s. I haven't found a solid way to detect them (without false positives) yet.
  • Phony giveaways
  • Adverts for warez
  • pornography
  • Adverts for medical products that do not, in fact, exist: ways to reverse the aging process, cures for cancer, and the like
  • Spam written in Latin characters, but in a language I don't read. Spanish predominates in this category, but I've seen German, French, and I think Italian. If I get any Portuguese, I probably mistake it for Spanish.
  • Spam written using non-Latin characters (but without specifying the charset as such, either because it's not specified at all or because it's unicode) that slips past the filter rule for non-alphanumeric subject lines by throwing in alphanumeric characters in a few spots.
  • Various prescription meds adverts that slip past my filtering rules. Most of them seem to slip past, even though I've tried to be clever with my regular expressions. I write stuff like "^Subject.*[Vv].?[Ii1l|].?[Aa@].?[Gg].?[Rr].?[Aa@]" but they still find other ways to say it and slip past. I think they use lookalike Unicode characters. Did I mention that Unicode is a plague and a nuissance? Yeah.
  • Sundry other nonsense and junk.

However, even the stuff that gets filtered is a significant annoyance, because of the bandwidth it uses. I'm on 33.6 dialup here, so retrieving my mail takes a few minutes; when most of what I'm retrieving is unsolicited bulkmail, it's annoying to have to wait for that.

Replies are listed 'Best First'.
Re^2: Most of the email spam I get is:
by hostyle (Scribe) on Jan 03, 2005 at 12:54 UTC

    Messages with an enigmatic or vague subject line (that looks like a Markov chain or random dictionary words) and no content -- absolutely nothing in the body at all, no HTML part, no attachment, no nothing. I seem to get a fair amount of this, and I'm confused as to what possible reason the spammers could have for sending it.

    Testing if its a valid email address? If it doesn't bounce your email address gets added to the "alive" list.

[reply]

      I Disagree. They can't reliably get information on what addresses work from the transport mechanisms. The Mail Exchanger (MX) for any given domain may simply be a relay, and unable to tell the remote host if the/a recipient is invalid. If your MX is able to give that information, or is a relay that can do so by using LDAP lookups, I'd be surprised if the spambot actually cared about recording the status of that particular e-mail address (a lead, if you want to make it sound nice).

      Now, in the case that you have a relay, every message will get an OK status when the spambot delivers the message. When the message gets to a host that can say if the recipient is invalid, the relay that was connected to that host will make the "bounce" message -- I'll say "DSN" here. DSNs are sent to the envelope sender of the message. There's a very slim chance that the envelope sender of a spam message goes to some mailbox that tracks the status of leads. That would make blocking spam messages much easier for us Good Guys. Most of the time, they will use an invalid user at a valid domain. Sometimes, the user is valid. That's called a Joe Job, and the user or domain will start receiving thousands of DSNs for messages that they never sent. Not fun at all.

      I think that in this case, it's simply a mistake on the spammer's part. That sort of thing is rather common -- most often, I see messages that have a bunch of tokens that are meant to be substituted before the message goes out, but aren't. I've seen some other stupid ones before, too.

      mhoward - at - hattmoward.org
[reply]
Re^2: Most of the email spam I get is:
by MarkusLaker (Beadle) on Jan 05, 2005 at 00:47 UTC
    My experiments with Bayesian filtering were a wash; after training ifile on my entire very large corpus of mail, I found that I had to continually go through the whole spam bin for false positives.

    I did the same thing when I first came to Bayesian filtering, but that's not the way to get the best results out of it. Filtering is more accurate if you simply correct its mistakes as they occur than if you preload it with an existing corpus.

    There's much more information about Bayesian filtering at Paul Graham's site.

    Markus

[reply]
      Filtering is more accurate if you simply correct its mistakes as they occur

      If I have to correct false positives as the occur, this so-called "filtering" is no good to me at all, because it means I have to go through all the spam. Worse than useless. My existing filtering system is significantly better, because I am confident that 100.000% of everything filtered into the spam folders is, in fact, worthless junk. Additionally, *most* of my legitimate mail is filtered into various spam-free folders based on topic, list, sender or whatever. The only mail I have to sort by hand is the stuff that lands in my inbox (because none of my filters pick it up).

      I don't want to correct my filter's errors continually. If I have to do that, it's not doing its job at ALL; *I* would be doing 100% of the filter's job, then.

[reply]

In Section Past Polls

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://418538]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others perusing the Monastery: (5)
As of 2024-04-20 01:01 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found