Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Notes on the CEAS

Notes on the CEAS

  • Comments 4

Here's a round up of my random thoughts on the CEAS:

1. The stuff on image spam detection was interesting, but it's a little late.  Spammers have moved on to other tricks.

2. Speaking of the stuff on image spam, the false positive rates were very high so as to render the techniques impractical in a real world environment.  A 4% false positive rate renders a technique non-useful in real life.  Frankly, a filter component has to have an FP rate of at least 1/10,000.

3. The brief history of Postfix was interesting.

4. Well, wouldn't you know it - it turns out that filters that train on global data (mail) perform *much* better than filters trained on personal mail.

5. Interesting factoid: Spammers are sending fewer messages per recipient than they used to.  This is a reversal in the trend in earlier years when they sent the same message to a lot of recipients.

6. The top 10 brands account for 85% of phished sites (eBay, Paypal, etc).

7. 99% of trackbacks on blogs are spam and when it comes to blog spam, two narrow IP ranges host most splogs.

8. Even though SenderID and SPF fail on email forwarding, it's not a huge problem because it is rarer than people think.

Leave a Comment
  • Please add 1 and 3 and type the answer here:
  • Post
  • PingBack from http://msdnrss.thecoderblogs.com/2007/08/15/notes-on-the-ceas/

  • > The stuff on image spam detection was interesting,

    > but it's a little late.  Spammers have moved on to

    > other tricks.

    It's not really too late though.  If you don't keep it up, they'll be back.

    > Spammers are sending fewer messages per recipient

    > than they used to.

    Huh?  Maybe there was accidentally a whole week when that fluctuation just happened to look that way, and you interpret that as a trend?  Daily rates won't look like a trend but they'll show the fluctuations; today kind of looks the way you're talking about and yesterday was exactly the opposite.

    The way your #8 is formatted, I can't read it in IE6.

  • "Huh?  Maybe there was accidentally a whole week when that fluctuation just happened to look that way, and you interpret that as a trend?"

    I didn't interpret it, the presenter did.  The bottom line was that spammers used to send 1 message to many recipients, now they send many different messages to many different recipients.

    "The way your #8 is formatted, I can't read it in IE6."

    Should be fixed now.

  • > The bottom line was that spammers used to send 1

    > message to many recipients, now they send many

    > different messages to many different recipients.

    I see, I misinterpreted the original wording.  It looked like an assertion that spammers used to send many copies of a spam to each recipient and now send fewer copies to each recipient.  With ordinary fluctuations there are some days where the average number of copies of a spam (per recipient) can be lower than the previous day's average, but the overall trend sure isn't down.  Some spammers seem to think they persuaded me to enter 10 buy orders for some spamalot stock each day last month so they'll obviously persuade me to enter 20 buy orders each day for this month's spamalot stock.  Most of those get filtered out by my ISP but I still see the subject lines because I have to check for false positives.  A few don't get filtered out so the SEC gets to see them (somehow the spamalot stocks are always listed in the US).

Page 1 of 1 (4 items)