Minimalistic spam, another annoyance to worry about

July 20, 2009

I've started getting advance fee fraud spam which have as their entire contents something like this:

You won Three Million Anita Meyer : <email address elided>

At first I was amused by the minimalism and lack of effort on the spammer's part; it'd be hard to get an advance fee fraud attempt in less words. But the more I think about it, the more that I think this may be more clever than it looks (whether or not it's deliberate).

Modern anti-spam filters are quite good at analyzing text and detecting signs of spam. But tiny, minimal messages like this give them a problem (and indeed this one passed the spam filters with a low score), because there's almost no text for anti-spam tools to sink their teeth into. The less text there is for textual analysis, the more you're going to have to rely on some sort of meaning analysis, which has problems.

(I am relatively convinced of the existence of a general trend of giving anti-spam tools less text to work on. I've been seeing spam where the real payload was a PDF or .doc file for a while; I presume this is done because it (currently) hides the spam text from anti-spam content analysis.)

This text still has markers that could sort of be matched on, and probably a pure Bayesian approach would work well (since there's a number of words in there that probably don't normally appear in your email). But I'm not convinced that either will hold up in the long term; smarter spammers can eliminate the obvious markers, and probably there's a lot of room for rephrasing the message and using a less distinct set of words.

Comments on this page:

From at 2009-07-20 02:03:03:

I've noticed these getting by Thunderbird's filter over the past week or so. It looks like it might be starting to catch them, but possibly also f+ing on short but valid messages (not quite enough evidence yet).

Written on 20 July 2009.
« The importance of making an issue visible
Packages should not contain both tools and policies »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Jul 20 00:01:54 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.