2008-07-20
Why I'm mostly out of the email (anti-)spam game
I was once fairly interested in and involved in anti-spam stuff; I spent a bunch of time on anti-spam precautions here, followed news sources, and so on. These days, I find myself much less involved, and although I still care about various spam issues, I don't spend very much time involved with the whole field.
What happened is simple: somewhat to my surprise, the spam problem here was pretty much solved when we deployed a commercial anti-spam solution in combination with greylisting and zen.spamhaus.org. It's not perfect, but the amount of spam that got through to me has dropped to almost nothing with almost no effort on my part once we had everything set up.
(One great advantage of commercial solutions is that someone else worries about keeping them up to date. I suspect that the commercial solution is spending far more man-hours than I ever did on this, because this is their speciality and because they can amortize the time over a lot of customers.)
There's still anti-spam improvements I could make to our mail system and I'm still interested in the whole field, but the urgency has gone way down and with it, the amount of time I spend on anti-spam stuff. When the problem seems at least 95% solved, it is hard to carve out the time and motivation to work away at the remaining 5% (especially when there is lots of other work to do).
(I admit that my view is influenced by local attitudes. And I do admit that it feels peculiar and somewhat alarming to delegate something as important as our anti-spam filtering to an outside party, however well it's worked out so far.)
2008-07-04
Phish spammers who make it easy
For my sins, I watch the SMTP logs on a relatively low-activity machine.
Recently a number of machines started trying to send it email with the
envelope sender of support@PayPal.Inc.com, which to a human is about
as clear a sign of phish spam as you could ask for (although computers
are not that smart).
As it happens, all of the email (from all of those hosts) was rejected. Not because the mail system detected it as spam, but because there is no such PayPal.Inc.com (sub)domain. So all this phish spam run did was burn a bunch of compromised servers, at least as far as I'm concerned.
(Nor is this the first time that I've seen this sort of thing; for
example, not too long ago any number of hosts tried sending me email
claiming to be from service@paycpal.com, a domain that helpfully had
unresponsive nameservers. In fact, looking at the logs shows previous
attempts using PayPal.Inc.com from a couple of months ago.)
One of the things that's interesting to me is what it suggests about the phish spam ecology. These phish spam attempts come from what look like compromised servers, and I tend to believe (perhaps incorrectly) that people who are competent to crack servers wouldn't make such a basic and easily checked mistake with mail (given that Internet mailers have been verifying that the envelope sender domain exist for something like a decade now). This suggests that the crackers don't send the phish spam themselves but instead rent the outgoing mail capacity to the actual spammers, some of whom apparently have relatively little technical skills and don't bother with test runs.
(I wouldn't be surprised if the crackers rent out the entire technical infrastructure, from spam sending to phish site hosting to collecting the information that people submit and sending it on to the phish spammer.)