Philosophy of Spam Identification |
Identifing Spam
What makes spam different than normal email?
Although they might often look alike spam and nonspam are very different and the people who are sending spam are very different than the people who are sending normal email. It is these difference that allows our systems to distinguish a spammer from ordinary people or people who have a free speech message that they are sending to a large list of people. Understanding these differences is the key to accurately detecting spammers.
It's not just the content of the message that gives spammers away. We actually catch more spammers by their behavior than the content of their message. Over 90% of the spam we filter is caught without having to look at the content of the message. We catch them based on their behavior in sending the message to us. These behavior differences is the key to accurately detecting spam without resorting to censorship and inhibiting free speech.
Understanding what spammers want
The bottom line is, spammers want your money. In order to be successful they have to find ways to get your money from your pocket to their pocket. Nonspam might also involve some marketing as well, but spammers always are going for your money. Although some spammers offer legitimate products, most are out to scam you. The use deception to trick you into giving up your money or your personal information. Sometimes the spammer only wants to know your email address is real so they can steel it to other spammers. Sometimes they are trying to get you to give up your password so they can clean out your checking account. Or they might want you to participate in some sort of get rich quick scheme there they only one who gets rich is them at your expense.
In order for a spammer to get what they want from you they have to get you to interact with them. The spammer always wants you to DO SOMETHING. That is one of the things that gives them away because we can focus on what it is they want you to do and catch them. The spammer needs you to respond to the spam. They want you to Click Here. The want you to email this address. They want you to Call this phone number. There is always something they need you to do to get your money into their pockets.
One of the things we do is focus on what spammers want you to do. If the message contains a link then it links to a web site the spammers wants you to go to. By identifying these web sites from lists that people cooperatively assemble we can catch spammers by what they link to. We can also catch spammers by mining out real email addresses in the message that spammers want you to reply to.
Spammers Behave Differently in sending email
Most people send a limited number of messages to people who they have a relationship with. Spammers however send millions of messages to people who they have no relationship with. A real email message will keep retrying if the server isn't ready and will generally play by they rules. Spammers will try to circumvent the rules to try to deliver as many messages to as many people as possible. They try the back door before they try the front door and if the back door rejects them they move on. It's far more efficient for them to attempt to deliver spam to an unprotected server than a heavily defended one. The spammer isn't trying to reach you specifically like your friend are. They are trying to reach anyone. So if your email server shows resistance then they skip you and move on to the next sucker.
Spammers are often deceptive. They pretend to be someone who they aren't. They deliberately misspell words so as to get around spam filters. They pretend to be part of your domain so that they can gain access. Often it is the deceptiveness of the spam that gives it away. For example, if a spammer is pretending to be a bank sending out an official notification but the email came from Nigeria, that isn't a real message from your bank. Many of these deceptions are identifiable and can become a 100% accurate rule to catch spammers using that kind of deception. Their dishonesty gives them away.
Because spammers send millions of emails to people who don't want them they get millions of people who report these spams to central clearing houses where specific characteristics of the spam are identified and those characteristics can be used to identify new spam that is like spam that's been reported. Normal people don't send as many messages and organizations that do send a large amount of email send it to people who want it and aren't complaining. So the spammer is different in that they generate a lot of complaints in a hurry. The anti-spam community is developing new technology to deal with this in real time so as to stop spammers in their tracks.
Spammers are on the run
Most ISPs do not allow spammers to use their network. Those that do end up on block lists and most ISPs don't want that. So spammers can spam from anywhere like people who send real email. They have to set up servers in countries who don't care about where the money comes from or what they are supporting to get the money. More often than not spammers will try to hijack other people's computer using exploits and viruses that turn home computers into spam servers. These computers act as proxies for the spammers sending millions of junk messages to lots of people. People who use Microsoft Windows are particularly vulnerable because Microsoft doesn't get it when it comes to computer security. They deny security fixes to unregistered users so their OS becomes a nemesis to the rest of the world. The majority of spam comes from hijacked Windows computers. But the viruses that spew forth this spam are not as sophisticated as a real email server and are generally ea silly identifiable. Most of them can be blocked with an IP RBL list.
|