Spam: a cunning (and annoying) approach
Dec. 10th, 2009 11:48 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
bunnI've had a few emails recently get through my network of filters, and have been wondering how they managed it, as they used words that would trigger any spam filter, and all seem to have exactly the same text. (I do have a strange soft spot for the innovative and amusing kind of spam, but nobody wants thousands of identical emails promoting products one would never buy).
I just became annoyed enough to fiddle with the filters to stop them, and by checking the source, discovered why they had made it through.
The spam filters that filter primarily on content, work by reading your email looking for suspicious strings of letters. The spammers had got round this by adding random letters in the middle of all possibly-contentious words - so for example: Vibtlagnmbra. The random letters are different for every email, so the letter string is always different and cannot be filtered out.
Then they used HTML to colour the excess letters white, make them very small and float them away to the right margin, so that the message looked the same to the human user.
This is awfully cunning. And awfully irritating.
OK, I could turn off rendering HTML in emails, but this wouldn't stop the spams, it would just render them unreadable. I could filter out all HTML emails. But I don't want to do that, I get HTML emails that I do want to read.
I could do more validation of the sender's email address - but I don't really want to do that, because many spams come from genuine, valid addresses that are being forged. In a perfect world, there would be better systems for validating who sends emails so that I could be sure that an email coming from a different IP or SMTP server was spam, but sadly, that's not the case.
I do get HTML emails from oddlooking SMTP servers and varying IPs that I actually want to read, and the process of validating addresses using an SPF record is sufficiently complex that I can be pretty sure that many of the people who send me email will not be able to do that.
In the meanwhile, I've settled for filtering on the code that hides text and floats it to the right. This isn't a great way of doing things, as it's possible that a valid email might also contain that code, and also I can think of quite a number of permutations on this technique using different code - but it is the best 'least likely to lose desired mails' approach I can think of.
However, I suspect that ISPs handling vast amounts of email traffic will go instead for the validate sender approach - thus ensuring that genuine emails become even less likely to be reliablly delivered than they are now.
Hum. It is annoying that spammers insist on muddying their own water in this way. If they could just be a bit more restrained about it, then people would put up with them, but this sort of thing will eventually end up killing email, and driving people to more validated but less private and less universal messaging systems such as the various social media sites.
I just became annoyed enough to fiddle with the filters to stop them, and by checking the source, discovered why they had made it through.
The spam filters that filter primarily on content, work by reading your email looking for suspicious strings of letters. The spammers had got round this by adding random letters in the middle of all possibly-contentious words - so for example: Vibtlagnmbra. The random letters are different for every email, so the letter string is always different and cannot be filtered out.
Then they used HTML to colour the excess letters white, make them very small and float them away to the right margin, so that the message looked the same to the human user.
This is awfully cunning. And awfully irritating.
OK, I could turn off rendering HTML in emails, but this wouldn't stop the spams, it would just render them unreadable. I could filter out all HTML emails. But I don't want to do that, I get HTML emails that I do want to read.
I could do more validation of the sender's email address - but I don't really want to do that, because many spams come from genuine, valid addresses that are being forged. In a perfect world, there would be better systems for validating who sends emails so that I could be sure that an email coming from a different IP or SMTP server was spam, but sadly, that's not the case.
I do get HTML emails from oddlooking SMTP servers and varying IPs that I actually want to read, and the process of validating addresses using an SPF record is sufficiently complex that I can be pretty sure that many of the people who send me email will not be able to do that.
In the meanwhile, I've settled for filtering on the code that hides text and floats it to the right. This isn't a great way of doing things, as it's possible that a valid email might also contain that code, and also I can think of quite a number of permutations on this technique using different code - but it is the best 'least likely to lose desired mails' approach I can think of.
However, I suspect that ISPs handling vast amounts of email traffic will go instead for the validate sender approach - thus ensuring that genuine emails become even less likely to be reliablly delivered than they are now.
Hum. It is annoying that spammers insist on muddying their own water in this way. If they could just be a bit more restrained about it, then people would put up with them, but this sort of thing will eventually end up killing email, and driving people to more validated but less private and less universal messaging systems such as the various social media sites.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2009-12-10 01:47 pm (UTC)That horse has long bolted :-(. You can't block them, and you can't set them to not render, because just too many people send messages in that format by default.
I have one client who has a corporate email system that strips css - not all HTML, just css - and it causes all sorts of bother on a day to day level.
no subject
Date: 2009-12-10 02:22 pm (UTC)Yes, agreed; but it doesn't make them a good idea. :-(
That's interesting. Until I switched to Thunderbird a few weeks ago, I was using an email client (Turnpike[1]) that did something similar. It rendered html as simple text, even if there wasn't a plain text alternative. It removed all the style information, all the tags, everything; in-line images were provided as attachments. That worked rather well, except with marketing type emails, which seemed to render as a long list of links.
Even with HTML emails it ignored most of the tags; it did bold and italic and that was about it! No fonts, no colours, no in-line images, no backround images. It was loverly! :-)
[1] I switched as I got fed up with its failings when running under Vista (and presumably Windows 7). Since we're going to be moving away from Demon in the near future it seemed sensible to drop their proprietry email client sooner rather than at the same time as the migration. Give us time to find something we liked. I'm not convinced that I like Thurnderbird, though.
no subject
Date: 2009-12-10 02:40 pm (UTC)Or people forwarding newsletters "can you do something like that only purple' etc, etc... Or they embed an image inline or even set it as a background rather than attaching it, without knowing the difference, and the image contains some vital detail, and obviously they sent it late on Friday afternoon and expected it to be actioned by Monday...
Thunderbird - I know what you mean. I just cannot find an email client I really like, I've tried a bunch and keep coming back to Eudora, even though development on Eudora is dead as a doornail and I have a horrible feeling that it won't run under Window 7 :-(
no subject
Date: 2009-12-10 04:02 pm (UTC)Sometimes I think non-technical people shouldn't be allowed email. I also sometimes think people who don't understand how a motor vehical works shouldn't be allowed to drive one.
I've met up with people including information in the formatting too, all too often. Luckily it mostly didn't get sent on Friday afternoon and needed to be completed by Monday morning.
Eudora being dead is the reason why I didn't even consider it, even though I know it was supposed to be excellent.
no subject
Date: 2009-12-10 05:52 pm (UTC)My maternal grandfather became an electrician in the 1930s ('it is the coming thing' he told his small daughter). I like to imagine him ranting about foolishness of the hoi polloi replacing their own lightbulbs and fuses.
no subject
Date: 2009-12-12 10:04 pm (UTC)no subject
Date: 2009-12-14 11:37 am (UTC)For a while I was running Turnpike on a W2K virtual machine on my Vista PC. Unfortunately it didn't cope well with connecting across the network and corrupted the database several times, even though it had done that for several years quite successfully, so I resorted to putting the mail database in the virtual machine.
Another problem with the virtual machine is that clicking a link in a mail opened a browser on the virtual machine rather than one on the host.
Demon did produce an updated version of Turnpike that would at least run on Vista (and presumably W7), but it didn't behave very well. I couldn't get it to move mail from one folder to another, neither drag and drop not cut and past would work. And if you hid the folders list in Explorer windows (my preferred view) you couldn't see any folders in Turnpike, nor get them to display.
no subject
Date: 2009-12-15 06:24 am (UTC)I do like Turnpike's design. I shouldn't be surprised at how rare a good clean user interface is, but I had a day's training course on our school database system yesterday, and was horrified at how cobbled-together it felt for such an expensive bit of software. Almost every screen has its own unique way of doing things, and they were all inconsistent. Aaaaargh!
no subject
Date: 2009-12-15 09:06 am (UTC)Yes, Turnpike's UI is pretty good, shame it relys so much on the mouse and doesn't implement keyboard shortcuts properly: try getting to To: from the body of a message without using the mouse.
Yes, I know about cobbled-together expensive bespoke software. Hmmm, that's pretty much like the software that I'm currently maintaining. I'm slowly getting rid of as many inconsistancies as I can, but we have got a new version that is consistant.