zhaol's blog

从很久以前，我们人类就开始和垃圾邮件进行着斗争。在某段时间，在各种专业反垃圾邮件技术的支持下，我们做到了关键词、黑名单、自动学习、相当程度的智能识别（其中还包括贝叶斯算法等的使用，;)）等各种技术的综合使用。例如在Gmail中，垃圾邮件的自动识别率已经相当令人满意，并且误杀率也基本接近0。 我们曾经准备宣布人类已经成功的解决了垃圾邮件的问题，但是现在人类又要面对更新的、更强大的垃圾邮件威胁。

1 图片垃圾邮件： 上述技术主要针对文字垃圾邮件。新的垃圾邮件在Subject域并没有显眼的“垃圾”特征，内容却是一幅图片，其中的图片也不具备一些典型的黄色图片特征（即人类皮肤的颜色比例）。而是在技术角度看起来像非常正常的奥运、圣诞图片。
2 僵尸网(BOTNET)：专门为发送垃圾邮件而生成的僵尸网规模已经相当可怕，每天可以放松百万量级的垃圾邮件。下文中报导的SpamThru就是这个目的。
3 股票等金钱驱使：垃圾邮件中的内容是非常严肃的股市分析，劝告你去购买某些、某种股票。百万接收者中有百分之几的相应率就可以对某只股票造成某种程度的人为操纵，然后操纵者乘低买入，乘高卖出。这方面和相当部分的网络欺诈和入侵有些相似。

斗争在进行中...

[separator]

Net Watchdog: Seemingly Unstoppable Spam
Jan 2, 2007， By Tom Spring, PC World (US)

If you're like me, each morning you greet an e-mail inbox stuffed with a new breed of fiendishly clever spam that somehow manages to elude your spam filters.

Earlier this year we thought the good guys were winning the war against spam. Back in January, I talked to spam fighters who were claiming victory in the spam wars. One company told me that the volume of spam had stopped growing at double-digit rates for the first time.

But that may have changed. Researchers and IT managers are now complaining that spam levels have risen significantly in recent months -- some organizations have reported increases as high as 80 percent. Overall spam volume has increased 67 percent since August 2006, according to Barracuda Networks, an enterprise security appliance vendor.

So what's changed? How are spammers managing to sneak their messages back into your inbox? And what can you do to protect yourself?

New and Improved Spam

Spam used to be strictly text based and commercial in nature, touting herbal remedies, linking to porn sites, and coming from average-Joe spammers looking to make some extra money.

Spam fighters were able to block this type of spam based on key attributes, such as words and phrases typically found in spam. They could also block e-mail that came from a known spammer, or filter spam based on the links that the messages contained. If an e-mail contained links to a porn site, for example, then a filter might reasonably guess that was spam.

The new breed of spam manages to evade filters because it contains no suspect words, is sent from hundreds of thousands of different PCs, and includes no links. How does it work?

The new spam evades traditional spam filters because it doesn't include any text -- instead, it uses an image embedded in the body of an e-mail to deliver its message. This image includes text that displays the spammer's message. But to make it hard for spam filters that may use optical character recognition technology to scan and read the text in the images, spammers are getting sneakier. They're sending pictures with textured backgrounds or various colors to throw off the filters. They're also varying the font for each letter of the text. This way a spam filter can't tell an unsolicited stock tip from a holiday picture of the family.

Image spam currently accounts for up to 40 percent of incoming e-mail, according to McAfee Avert Labs . A year ago image spam accounted for less than 1 percent of the total spam received, the company reports.

Pump-and-Dump Spam

The look of spam isn't the only thing that has changed. Much of the new spam no longer depends on people clicking a link or downloading a Trojan horse. Instead, the single purpose of most image spam today is to promote a specific company's stock -- it's a "pump and dump" stock scheme.

Here's how it works: People behind the scam typically buy a bunch of penny stock in a company. Next, they send out millions of spam messages touting that stock -- typically via zombie computers (owned by home PC users). When enough people buy the stock -- and believe it or not, some people actually do -- the spammers sell their holdings and make a modest return.

How many people actually fall victim to these stock tips? A spammer can make a 5 to 6 percent return in just a few days from stock hyped via spam, according to a recent study conducted by researchers at Oxford University and Purdue University. The researchers also found that spam recipients who invest in those same stocks lose about 7 percent of their investment.

These types of pump-and-dump spam stock schemes are growing exponentially on the Web, according Stephen Pal, vice president of product management for Barracuda Networks , an enterprise security appliance vendor.

Organized Crime

The recent explosion in image spam that hawks penny stocks is likely the work of Russian hackers controlling an army of botnet PCs, says Joe Stewart, senior security researcher at SecureWorks . A botnet is a network of hijacked PCs that forward spam or viruses over the Internet to other computers without the knowledge of the zombified PC's owner. As many as 100,000 PCs make up this army, and they're probably seeded with the SpamThru Trojan , Stewart says.

This botnet army is very advanced, Stewart says. The SpamThru Trojan scans a PC for viruses and removes competing malware files, he says. Once a PC is infected, it becomes a zombie controlled by a central server. A botnet army this large is capable of sending a billion spam messages a day, Stewart says.

Our best hope for stopping the scourge of image spam rests with the spam fighters. One way you can help is by giving feedback to your e-mail provider. Companies like Barracuda Networks and e-mail providers like Google Gmail and AOL ask that their customers identify the spam they receive by pressing a "this is spam" button, rather than just hitting Delete. This feedback helps companies prevent the same messages from reaching other inboxes.

Chasing down the spammers is as futile as investing in the penny stocks they promote, experts say. Right now resources for fighting spam are best focused on protecting people -- not going after the bad guys, Stewart says. "The fact is that law enforcement doesn't have the authority or resources to track down spammers," Stewart says.

That leaves little hope for those of us on the receiving end of spam. For now, all we can do is make sure our antivirus and antispam software is up-to-date.