[sf-lug] spam vs. anti-spam

Rick Moen rick at linuxmafia.com
Fri May 14 21:12:22 PDT 2021 

Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):

> Yeah, there's massive armies of spambots ... and though often rather to
> quite capable, at the same time they're often pretty stupid too.  

Basically, the spammer motto is "We do just about everything stupidly,
_but_ we make it up in volume."  This colossal waste is enabled _in part_
by the computing resources (machines, CPU, RAM, bandwidth) being 99.9%
stolen -- running botnets on massive numbers of (other people's)
malware-infected MS-Windows machines.

> E.g. spam I've received - and likely even still receive (but probably
> well below the threshold I even look at it or even see Subject: etc.),
> an ex-friend (only one of those I have, but that person quite "earned"
> it - but that's another story).  Well, I'd get spam, forged from them,
> and CCed to ... every bloody damn person that was quite obviously in
> their address book(s) / contact list(s)

The core of how that works is that typical MS-Windows malware does a MAPI 
call, giving instant access to the user's address book and typical
communications patterns.  This stolen data then gets sent back across 
the Internet to the bad guys' servers in Eastern Europe or wherever, and
added to the big-ass database of who-is-connected-to-whom -- for use in
future socially-engineered spam and malware outreach.

In addition to the MAPI call, the malware also typically sweeps through
the local Web browser cache, grepping for similar things of interest
about whom the user talks to and what he/she does on the Net -- which
then likewise gets reported out.

Further to your point, this indirectly affects you and me even though 
we are not MS-Windows victims^W users, let alone ones who go around
infecting our workstations, because all it takes is for some of our
correspondents or fellow mailing-list posters to get that sort of
malware infestation, and the bad guys learn a lot about our circles of
acquaintance on the Net, through wiretapping, so to speak, the other
side of those communications.

Anyway, the above is, to the best of my knowledge, the main reason that
a lot of spam/scam mailings have seemed, in recent years, to be getting
better targeted to specific persons and not quite so dumb from top to
bottom.

The above is _also_ why the people -- and there are always some -- who
seriously think they can hide from spammers by never permitting their
e-mail addresses to appear on publicly archived mailing lists are
kidding themselves.  A newly used e-mail address will reliably start
getting harvested by the bad guys within a month or two of the user 
corresponding with even a few correspondents in private e-mail, as long
as some of them are MS-Windows users and at least one of them is
reckless about security -- and frankly, pretty much every Internet
users' circles of correspondence include a few.



> I think another way it happens, many
> (dis-)"service"s, e.g. Facebook, have an option like "upload all your
> contacts" (usually along with we pinky promise not to abuse or lose it)
> - often they even have the user feed such "service" their login and
> password(!) to, e.g. gmail, or wherever they have all this contact
> data, so the "service" can suck that all out.

LinkedIn _definitely_ does that.  

On typical Mailman lists, I need to have a catchall spam filter to
intercept and discard LinkedIn crud sent out continually on behalf of at
least one subscriber, trying to get _the mailing list_ to join LinkedIn.
This mailing list has (and needs) such a filter, for example.  I will
not name & shame the guilty subscriber.  ;->


> Yeah, I've seen a fair bit 'o spam that attempts to do some
> list-related spoofing - thus far none that seems quite "smart" enough
> to mostly make it thorough as legitimate....

We're all going to start having problems if they manage that.  I keep
monitoring.

> I'm sure many spammers do stuff to quite track which email addresses
> are "live" - or at least deliverable or accepted the email ... and
> which actually generated a human (or human-like) response - e.g. used a
> tracked link in the email.

The classic would have been those 1x1 pixel "Web beacon" hyperlinks, but 
it really could be anything remote referenced, that then makes a log
entry on some server.

More information about the sf-lug mailing list