back to article Spammers add a new dimension to junk mail

Spammers have added a fresh dimension to the fight against junk mail with the creation of image spam rendered in a pseudo 3D layout. The use of images as opposed to simple junk messages as a way to punt penis pills, refinancing offers and the like has being going on for months. The approach is designed to fool basic spam …

COMMENTS

This topic is closed for new posts.
  1. Ralph B

    One Born Every Minute?

    Who is stupid enough to buy from a spammer? Obviously some people do, and they are making life hell for the rest of us.

    The problem is how can we make it easier for the spammers to find their suckers, so they can leave the rest of us alone.

    Here's some ideas:

    - Windows (TM) should come with an IQ test during email setup. Those achieving less than a certain score have their email address supplied to the spammers.

    - Sale of lottery tickets should require that the buyer provide their email address. This is then supplied to the spammers.

    - Google's database could be trawled for search phrases such as "Britney Spears" and "How can I make my penis longer", matched to the user's email address (google knows how), and supplied to the spammers.

    - etc.

    Get the idea?

    We end up with a continuously updated register of stupid people's email addresses which spammers will be free to use as much as they like. But they will be utterly forbidden from sending to ANY other address. (Not that they will want to, since only stupid people buy their products).

  2. caffeine addict

    At the risk of turning ElReg into Fark...

    this article is pointless without pictures... :)

  3. fluffy

    How is this any more effective than 2D image spam?

    By now, my spam filter is very well-trained to disregard emails which are nothing but an image when the headers have been tagged in various ways by SpamAssassin. (It's especially helpful that most of these messages use a nonstandard MIME multipart encoding, which bogofilter is similarly trained very nicely on.)

    Good spam filters don't need to care about the unique signature of each image; there's so much more useful information in a message than just what's "visible."

  4. Anonymous Coward
    Anonymous Coward

    RE: One Born Every Minute?

    I won £7000 on the lottory by matching four numbers on Hot Picks after playing twice a week for a few months. Who's the fool?

  5. Player_16

    Also at the risk of turning ElReg into Fark...

    Yeh!! Let's see some pictures!! C'MON!!

  6. Ben Pope

    @caffiene addict

    Unless you're using an obscure browser or your own stylesheet, is not the word "notes" underlined and in blue to indicate that it is a link? Try clicking on that link.

  7. Anonymous Coward
    Anonymous Coward

    @ Ben Pope

    Surely you don't blindly follow hyperlinks on a webpage. tsk tsk tsk...

  8. Phill

    disappointed

    Those images aren't very 3D and aren't very impressive if you ask me.

    Thousands of computers are hacked and controlled by sophisticated, reverse engineered, virus and worms written by what must be fairly intelligent people....and this is the final product? Why aren't the guys who have the ability to convert entire networks into their own botnets able to do a little bit of word art for their gangster pimp daddies exactly?

  9. Tom

    Unfortunately SPAM works

    The best way to stop spammers is to somehow tax their profits. Presently, SPAM is quite workable. When you send out millions (billions) of emails and get a response in the order of 10 or so, it makes economic sense. Only when the rate of return diminishes (gets closer to zero) will the problem be solved. SPAM filters may help, but for the messages that get through, it is economical.

    Here in the USA, out legislators don't understand (and probably never will). If they did, we could probably solve the problem, but knowing how they work, some lobbing group (direct mail industry gomes to mind) will distort it to be totally non functional.

    Oh, well. Some lessons are never learned.

  10. Anonymous Coward
    Anonymous Coward

    Jail for anyone who buys from spam..

    for inciting and collaborating. If people didn't do it, spamming wouldn't be worth their time.

    Jail for anyone who hires a spammer to advertise their product.

    Jail for the spammers too when we can find them. But the point is, the responsibility must be shared. We punish those who download child porn because it creates an incentive for the manufacture of more and therefore is responsible for the social harm that results; the situation with someone who pays money to a spammer is just the same.

  11. Anonymous Coward
    Anonymous Coward

    Non-story

    Actually, the computing effort required to render an image like this is trivial, barely more than it takes to render it flat in the first place - it's smoothing and anti-aliasing that take most of the grunt, the actual maths of the affine transformation are trivial.

    The whole thing is in fact just the same as the progression of captchas over the past few years: the spammers have been adding dots and textures and blobs to try and defeat antispam solutions that rely on OCRing the text out of the image, now they're advancing to some of the more mangled and distorted styles of the more recent harder-to-defeat captchas.

  12. Anonymous Coward
    Anonymous Coward

    Ooops

    I thought the "3D" effect was that weird smudging on the URL and I couldn't figure out how it worked

  13. foxyshadis

    Computing resources

    The planar 3d transform takes much much less time on today's (and even yesterday's) cpus than it takes to send out the last one. I could do realtime 320x240 3d on a 486, so I'm sure they could do enormously more complicated transforms if they cared to.

    Then if it's done on a graphics card, even a 90's one, it would be virtually instantaneous.

  14. vm370_guy

    Serves you microcomputer people right

    How's that microcomputer revolution going? Sounds like its gonna collapse under the weight of spam and malware. AWWW!

    VM370_guy, Proud VM/CMS FORTRAN and PL/1 programmer.

  15. Anonymous Coward
    Anonymous Coward

    @Player_16...

    ...I work for Spammers, so I'm really getting a kick out of some of these replies...

  16. Tim Bates

    I have an idea...

    How about we don't let idiots drive computers in the first place...

    2 benefits. They can't buy products from the spam, thus removing the market for spammers. And they will not leave their damn PCs open to attacks.

    I think stupid people running open mail relays or computer illiterate people leaving their compromised PC online are worse than the spammers.

  17. Pierre Castille

    Target spammers via credit card payment systems

    Spam works because enough people buy spammed products using credit cards.

    If the banks refused to handle payments to spammers then the flow of funds that drives spam would stop.

    Perahps the solution to spam is not a spam message filter but a spam payments filter.

  18. Andy Worth

    IQ test??

    I kind of like the idea of an "IQ" test for computer users, but not a typical one, more of a common sense test (as some otherwise intelligent people can have no common sense around computers). Questions such as:

    1) A mail arrives from Prince Umbongo claiming to be able to make you rich for a small down-payment. Do you....

    a) Get excited and reply back, willing to part with cold hard cash like a pillock?

    b) Delete the mail?

    c) Figure out a way to get some money out of the blatant scammer and turn the tables (see 419eater.com)?

    2) A mail arrives appearing to be from your bank, asking you to fill out your details on a webpage for "security reasons". Do you.....

    a) Happily fill out the form, blissfully unaware that you've just given your bank details to a dodgy bloke in Korea?

    b) Ring your bank and ask them if the mail is real?

    c) Delete the mail while making random rude signs at your screen?

    Now you see, if there was a test like this then the spammers could just target those stupid enough to fall for their ploys, and leave the rest of us alone.

    What do you think?

  19. Anonymous Coward
    Anonymous Coward

    Okopipi, our last, best hope

    http://www.okopipi.org/ is the successor project of the late BlueFrog - the only thing that actually showed any promise of stopping spam at the source, by making it too expensive for the spammers.

    BlueFrog was DDOS-ed to death by the spammers. If that doesn't prove they were on to something, I don't know what does.

    Okopipi is an attempt to recreate BF's functionality, but in a fully distributed manner, with no single point of failure. For a while now the project has been stalled, lacking a good coordinator/project manager, not least because people are hesitant to contribute for fear of retaliation from the spam mafia.

  20. Anonymous Coward
    Anonymous Coward

    What is a 'lottory'?

    You won seven grand, well done; you therefore are a fortunate fool. I don't believe that a LOTTERY win has ever been conclusively linked with higher than average intellectual capacity of the winner. It is possibly particularly telling that you cannot spell it.

  21. Anonymous Coward
    Anonymous Coward

    Re: Re: One Born Every Minute

    You are still an idiot, just a lucky idiot, for two reasons:

    1) Humans are terrible at statistics, and for some reason still play lotteries even though the odds are against them. If I played the lottery with 1234567 I would have as much chance of winning as anyone else.

    2) You spelt it lottory.

  22. N1AK

    Lottery

    The lottery works by putting the sum of all sales (minus a payment to the places that sell the tickets, and minus a share to Camelot who run it).

    That sum then has a chunk taken for use supporting charities etc.

    What is left is then at random distrobuted (randomly) among the tickets. As their is no way to predict the draw or game the system their is no way to increase your chance of winning.

    This means the odds of benefiting financially from the lottery are small, although obviously some people will.

    I have no problem with the lottery, and if people play it because they enjoy the excitement then fine, but the vast majority of people seem to be buying tickets and checking tickets automatically which seems to remove any chance to actually enjoy it, instead they are hoping against the odds for that lucky payout.

    I haven't played the lottery ever, in the last 5 years a friend has played it 2 times a week, during that time he's won £40 and spent £520. Instead I have savings (obviously not just lottery money), so that's £575 including interest, I've ended up £535 better off than him by not bothering to play the lottery.

  23. Calum Morrison

    Ironic that this comes from F-Prot

    As when we used their AVES anti-spam system, it didn't block any of the pdf or the image based spam whatsoever. Complete waste of time and non-existent support. Thankfully using a better system now that just seems to work...

  24. Andy Turner

    Hardly 3D!

    It's just a skewed image!

  25. Kevin Hall

    The war is lost

    As an email administrator products like SpamAssassin only work to a certain point. As I see it the whole email war is completely lost to spammers. We need something more robust like Instant Messaging that at least has authentication functionality. Unfortunately my job as an administrator means trying to protect the most novice of users, people like receptionists and administrators who frankly have no idea about spam. It's not that they're deliberately ignorant which is always the implication of people with elitist tendencies; they're paid to do admin work or work on the reception not be experts at email security. I don't know if one of the answers is to either white-list email or remove Internet email altogether. No matter how careful you are you'll email someone who's PC is infected or compromised and your address will be stolen that way. If email continues to be a sewerage pipe it'll virtually disappear from some organisations altogether.

  26. Anonymous Coward
    Anonymous Coward

    Bot wars and having a blonde moment

    If spammers can get into machines to make bot-nets then why not make anti-botsnet (so to speak) . Software that gets onto a machine the same way as malware but then deletes the nasties just like my spyware never seems todo.

  27. Ross

    Re: Bot wars and having a blonde moment

    Yes you could write and release a worm that went about deleting other worms and trojans using the same exploits. Some malware does just that - kicking out the competition. However it is very, very illegal. You would (possibly) be doing people a favour, but if you got caught I wouldn't be very confident in the Robin Hood defence.

    The simplest start to reducing spam would be for ISPs to block outbound SMTP connections to open relays. If they can do deep packet inspection on P2P traffic I'm damned sure they can detect and block connections to open relays. That way we get less spam, but we can still access our non-ISP based SMTP servers.

    You'd still get people using hacked servers etc, but it'd be a start. Oooh sorry, was dreaming for a moment there...

  28. Kevin Hall

    Problem with open relays

    The problem with blocking and detecting open relays is the administrative burden it puts on ISPs. ISPs themselves should only allow SMTP traffic to their own servers and prefrably should require credentials to send anything. The problem is malware either uses the legitimate SMTP relay anyway or simply directs the traffic to other servers using port numbers other than 25. People like Verizon and EarthLink block port 25 by default but this hasn't really slowed the deluge of spam coming from compromised systems on those networks.

    I think the problem is much more fundamental, SMTP was designed without any security in mind, it's a mechanism to send email not a security gateway. I'm not a software engineer and I have no idea how you make SMTP more secure, all I do know is that before long the only people sending any email will be spammers themselves. May be it'll be fitting end to them, like madmen screaming in the darkness, no one will be listening.

  29. Anonymous Coward
    Anonymous Coward

    Bot wars and having a blonde moment

    If spammers can get into machines to make bot-nets then why not make anti-botsnet (so to speak) . Software that gets onto a machine the same way as malware but then deletes the nasties just like my spyware never seems todo.

  30. Ross

    Re: Problem with open relays

    Installing traffic shaping appliances to control P2P traffic was a burden to the ISPs, but not so much a burden as the masses of traffic was, so they chose the "lesser evil" and spent a bit of money on traffic shaping, as opposed to a lot of money on new infrastructure.

    The rampant growth of spam (I remember El Reg carrying the story when spam comprised 50% of all email seen by Message Labs - what we up to now? 70%?) means that the balance will eventually shift for ISPs from "we don't care - it;s cheaper to ignore it" because the bandwidth and storage costs will get too much.

    Image based email can only speed up that process. If ISPs wish to maintain profits against a background of needless higher bandwidth and storage costs due to spam they have 2 options - increase prices, or prevent/limit spam. Given that they already have dynamic traffic shaping in place it would make sense to run test cases now, then deploy it and *advertise* your companies spam busting prowess. It's something that will make you stand out against your competitors.

    It would be really nice if they actually emailed their users that were pumping out spam oblivious to their bot infection and advised them on updates, anti virus, firewall software etc. Hell, they could even get commission for selling it. Ending spam needn't be a money sink - there's money in them thar hills.

  31. Morely Dotes

    BlueFrog: May the founders DIAF

    "BlueFrog was DDOS-ed to death by the spammers. If that doesn't prove they were on to something, I don't know what does."

    It proves the people who were given investor money to create BlueFrog, and who collected "subscriptions" money from users, were smart enough to pay a little for a DDoS so they could abscond with the cash after "regretfully" shutting down.

    Anyone who isn't paranoid just isn't paying attention.

  32. Morely Dotes

    @ Ross and Kevin Hall

    Firstly, the primary issue of open relays has been a non-issue for years. There are few open SMTP relays these days, and if the spammers were to use them, they'd melt down under the load in minutes.

    Secondly, the current issue is botnets. Defeating botnets requires a multi-pronged approach:

    - Admins must configure their networks so that the default is for all outbound SMTP traffic to route through their own servers (with exceptions made only upon request, and with a reasonable explanation of why the ISP's own servers will not serve the purpose).

    - Admins must aggressively null-route traffic from infected machines, both *inside* and *outside* their own networks.

    - Admins must require customers to maintain uninfected client machines, with null-routing the first step, and customer termination a last-resort (but not unused) final step.

    - Legislators must eliminate the useless laws that currently exist (because they are so full of loopholes that it's almost impossible to violate them), and pass laws that punish spammers, botnet herders, and VXers with serious "hard time" and total confiscation of their assets. It won't stop new offenders; it will make repeat offenses too expensive to be attractive.

    And finally, we need to replace all Windows machines worldwide with a more-robust and less-vulnerable OS (that is to say, a *real* OS, one which isn't based on the concept of millions of isolated computers with no network access, then suddenly giving everyone root-level access to all of them at once). Good luck on that one.

    Getting lawmakers to do anything useful is harder than sending men to the Moon and bringing them home alive. The problem will be with us for some time to come.

  33. Danny Roberts

    GMail

    OK, not a corporate solution but all my email is routed through GMail. It seems by far and away the best filtering I've seen once it's had a bit of training from the user.

    My parents wanted me to set them up a new email account due to the amount of spa they get. I only did it on the premise that they train the filter effectively. I receive about 200emails a day, maybe 12 or so that I want. and I only ever receive 12 or so in my POP3 inbox. What is Google doing right that many other systems (read, ISP's) can't

This topic is closed for new posts.