Wandering Thoughts archives

Phish spam and outside events

I wrote my advance fee fraud spam aphorism about how advance fee spammers take advantage of world events for their come-ons. It strikes me as interesting that I've never seen phish spammers do that. I actually thought I had a case from this weekend and I was going to write it up here, but on looking at the phish spam again it's merely trying to get my Apple ID, not my Apple Developer ID (the latter would be topical given the commotion with the Apple Developer Center security issue).

(I don't have either and I don't think there's any suggestion anywhere that I do. But then as far as I know I've never gotten particularly targeted phish spam in general.)

Assuming that I'm not just missing out on phish spam that refers to current events, I wonder why phish spammers don't seem to do this in the same way that advance fee fraud spammers do. Possibly it's because current events are harder to exploit for phish spam because the results the spammers want are more focused and narrow. If you're not interested in Apple Developer IDs, for example, the recent security issues there are totally useless for you. By contrast advance fee fraud is always after the same thing (you giving them money) and can use many hooks to justify it.

Even with that I'm still a bit surprised that I haven't seen much or any phish spam that said something like 'in light of recent security incident <X> we're asking all of our users to ...'. Perhaps phish spammers also just don't want to remind their targets of security issues lest the targets think twice about the spam itself.

Today's question: are anti-spam statistics useful for us?

In the postscript of my recent DNS blocklist stats I basically raised a question in passing: are anti-spam stats I can general here actually useful, or they just vaguely interesting? In the jargon, are they actionable information?

When I put it this way, the answer is pretty much no. As I see it, there are two possible reasons anti-spam stats could be actionable here: they could point out some problem in our anti-spam filtering or they could help us allocate limited system resources to anti-spam things with the highest payoff (so we could, for example, eliminate an expensive anti-spam step if it wasn't doing us any good). But neither of these actually apply to us because our anti-spam stuff is basically a black box that we don't tune and the machines involved in this show no signs of being anywhere close to running out of resources.

(Arguably we should monitor our use of DNS blocklists to see if they're doing us any good. But it seems very unlikely that either the CBL or zen.spamhaus.org will stop being effective any time soon and if they do temporarily get quiet, it's not like it does any harm to have them present.)

There are somewhat actionable statistics, but they aren't really accessible. What really matters is the amount of mis-classification that's going on, ie spam that's missed and non-spam that's incorrectly tagged as spam. However we have no way of telling this; only the users can (if they bother to check) and we don't currently have any way to collect information on this.

(We assume that we would hear about it if there was a significant amount of either going on. This may be optimistic, and given that the core of our anti-spam system is a vendor black box there isn't necessarily anything we could do about it anyways.)

I'm a bit sad about this because I find these sorts of statistics to be interesting and so I'd like it if they were also useful. It also means that it doesn't really make sense to spend much time doing things like improving the mail system's logging to help out statistics gathering.