Spam or Not Spam?

Discussion in 'Mail Chat' started by roundabout, Sep 5, 2011.

  1. roundabout

    roundabout VIP

    Joined:
    Feb 17, 2011
    Messages:
    2,713
    Likes Received:
    154
    Trophy Points:
    63
    Courtesy of the Cloudmark Blog:

    Spam or Not Spam?

    Take a close look at the message below, and then continue reading:

    [​IMG]

    Is this message spam or not? It looks related to a well-known brand, and looks fairly innocuous–submit a survey, get a gift card. It does sound a bit too good to be true, and the mailing address for the unsubscribe link looks a bit strange.

    The things that make the message definitely 100% spam are the things you can’t see. In several different ways the spammer sending this message is using techniques to circumvent spam filters, including the following:

    * Sending from an IP address that has never sent mail before. Using a brand new IP address circumvents real time IP blacklists and exploits default throttling policies that can allow a spammer to send many messages before being blacklisted.
    * The html message content includes meaningless word salad in several blocks of html comments. This is usually an attempt to confuse Bayesian spam filters that use word frequencies to determine spam/legit status.
    * The message contains raw non-ascii characters in an attempt to confuse spam filters that treat messages as null-terminated strings.
    * The message contains several meaningless href= links surrounded by css markup that makes them invisible in an attempt to confuse spam filters looking for a mix of links as an indicator of legit status.
    * The visible href= links in the message use numeric IP addresses instead of hostnames.
    * The IP addresses in the href links are represented in a legal-but-obfscuated format in an attempt to defeat url parsing code. Here’s what the href= link looks like (the IP address has been changed)

    [a href="http://10.000000204.00000044.000031/axkdt/nsn/?clk=..."]

    * All of the readable “text” in the message is actually an image. Attempting to click on the unsubscribe link (or anywhere else around it) sends you to a questionable-looking unsubscribe page.

    It can actually be really tough to determine whether a message is spam or not. Just because an email refers to well known brands doesn’t make it legitimate. Subway most likely doesn’t even know that these spam messages are being sent, even though it has the potential to hurt their image. The best advice is that if it seems too good to be true, it probably is…and/or if you didn’t sign up for messages from the organization, no matter how reputable they are, it may be spam. Other steps you can take are:

    * If possible, configure your email client to not show remote content such as images.
    * Look for unsubscribe links. If the message doesn’t have one, it’s probably not from a well-behaved sender who is adhering to good sending practices.


    Source:
    http://blog.cloudmark.com/2011/08/29/spam-or-not-spam/
     
    Last edited: Sep 5, 2011
  2. roundabout

    roundabout VIP

    Joined:
    Feb 17, 2011
    Messages:
    2,713
    Likes Received:
    154
    Trophy Points:
    63
    Some thoughts:

    What if the person was warming up an IP? Everybody has to start from a new IP sometime. How do they know/assume this was a person spamming? Guilty before innocent.

    The way filters are set up, esp. RAZOR, your message content becomes flagged after so many hash identifications are mapped. Whether it's a paragraph promoting subway, or a paragraph selling your golf balls to your golf subscribers, the point remains: if you're penalized for sending so many of a specific pattern of words, which is an assumption of guilty, what choice do you have?

    We need to have a debate on techniques improving delivery when delivery shouldnt be hampered to begin with. Treat mail as innocent until proven guilty, and mailers won't have to resort to this. If SPAM complaints come in e.g. scomps, fine, tune up them filters and get aggressive in your filtering. But don't filter until then.

    Could be sloppy html source right from the network, who knows. But this is interesting nonetheless.

    Is there a handbook that states exactly how href links need to look? I agree it looks spammy, but these are all tools mailers may or may not choose to use because they are starting their drops with the filter world against them the moment they push the SEND button.

    A mailer's JOB is to get the mail to the inbox - legally. Let the SCOMPS determine if he should suffer penalties and rep loss, then it's his/her fault. Aggressive filters are why these techniques are used. Sorry, but my 2 cents is if you can't come up with some of these techniques, you don't stand a chance.
     
    Last edited: Sep 5, 2011
  3. DKPMO

    DKPMO VIP

    Joined:
    Mar 31, 2011
    Messages:
    1,452
    Likes Received:
    68
    Trophy Points:
    48
    Location:
    Elaborate Underground Base
    At least Cloudmark is sharing their filtering criteria.

    :top:
     
  4. PushSend

    PushSend VIP

    Joined:
    Apr 12, 2011
    Messages:
    1,927
    Likes Received:
    141
    Trophy Points:
    63
    Location:
    Paradise
    fuck these guys...

    All I can do after reading this is shake my head in disgust. There are SOOO many things that this highlights as flaws in filtering and the anti's approach to email marketing. Basically they label ANYONE sending mail to be a spammer and that's that. Case closed. With nothing said about this users preferences or whether or not they opted in for this mail. And the IP, was it foreign or domestic? People get all bent outta shape for racial profiling, nothing different here.

    But this is pushing me towards testing a crazy idea I had a couple of years ago and can now test. It's super crazy but it just might work. I'll get this project rolling and share my results here.

    :ridinghorse:
     

Share This Page