Friday, August 06, 2004
The Spam I'm Not Seeing
So as we all know, AOL has acquired Mailblocks, the challenge/response spam filtering company that incidentally holds a bunch of apparently questionable patents covering the use of challenge/response for email filtering. Yeah, well, whatever. So in early 2005 AOL will offer another ca. 2003 spam filtering tool to any subscribers they might still have. Again, let me say: whatever.
It's interesting, though, how effectively challenge/response has managed to maintain a sort of minor "up and coming technology" status in the face of a gigantic collective yawn on the part of its potential user base. Nobody bothers to use c/r. Seriously. I say this not only because I can't remember when I last got an email challenge, but also because of the compelling evidence of the spam that I'm not seeing.
Whatever else they may be, spammers are reactive. Spam changes -- and changes quickly -- in response to each and every attempt to stop it. Admins start blocking the machines that send spam? Spammers figure out how to effectively distribute their spam sending chores across many machines. People start filtering based upon words frequently used in spam? Words like "v1@gr@" and "|S|L|U|T|S|" are coined. People create smarter methods of identification, like collaborative message fingerprinting and bayesian analysis? Enter the randomizers: random words, paragraphs from books, and miscellaneous other text appear in spam.
So what does that have to do with challenge/response? The spam that I haven't yet seen is a message something like this:
###
To: somebody@example.com
From: verification@legitimate-sounding-domain.com
Subject: Please Authenticate your Message
--
You recently sent a message to a Legitimate Sounding Spam Stopping Tool user. Your message has been quarantined, and will not be delivered until you click the link below to verify that this message is not spam or automatically generated bulk email. You will only have to do this once, after which any messages you send to this user will be automatically delivered to their inbox.
http://verification.legitimate-sounding-domain.com/foo=sk3ndk3jalkejk4
Thank you,
The Legitimate Sounding Spam Stopping Tool Team
###
If you click the link above, you'll see the potential problem here. If I'm a really clever spammer, I'll just copy the text used by some legitimate challenge/response system for my fake messages. If I'm an extra-special clever spammer, I'll tie this into a nice little worm of some sort, which would allow me to use the infected machine's address book to send out "verification" messages that include an email address that the recipient is likely to recognize. Cool, huh?
The day after c/r systems become popular (assuming that ever actually happens), I fully expect to see these messages...and because I haven't seen them, I just don't think that c/r is commonly used yet. It's interesting, actually, because just a couple of biggish spammers doing something like this could make c/r completely worthless. Every time you clicked on a challenge link it'd be a crapshoot, which takes challenge/response from "minor annoyance" all the way up to "way more trouble than it's worth."
Maybe I'm giving spammers too much credit. Maybe challenge/response is being widely used, and spammers are just too dim to have figured out this approach. Hmmm...maybe I should have filed for a patent on this before writing this post -- this could be a gold mine! Got to go, there's work to be done...