SPAM FILTER EFFECTIVENESS
This is a vastly over simplistic and incomplete document regarding the
ineffectiveness of spam filters. Its purpose is to offer a view of the process
involved and an understanding of the major parts of the system.
Spam filters need to be able to tell the difference between a legitimate email
and spam. A predictable pattern needs to be identifiable so that the spam filter
knows what to stop.
A
spam filter attributes a spam value to an email. In its simplest form it has 5
values ranging from off, low, medium, high and blacklisted.
All blacklisted emails are rejected. That leaves the low, medium and high
settings.
There are several patterns which can be used to identify a spam.
First the email itself has to be reported or identified as being in one of the
four spam categories as spam.
Then a pattern has to be identified.
1
– The ‘sender’s name’.
2
- The ‘subject’.
3
– The senders IP.
4
– The content.
5
– The composition of the content.
6
– A variation in the volume of email through a particular gateway or from a
particular computer.
7
– The senders email address
Let’s deal with each in turn and demonstrate how a spammer
1
– The ‘senders name’.
A
spammer can change their name for every email they send. Sometimes they will
change their name to yours!
2
- The ‘subject’.
In
the good old days, the subject used to be relative to the email, now it is more
sinister. They can use what looks like your bank, PayPal, competitions and so
on. Spammer’s will use anything (and I mean anything) to try to get you to
open/read their email.
3
– The senders IP.
Firstly, this is easily masked. Secondly, spammers take over someone else’s pc
to spam from – thus protecting their own IP. The IP of the machine (and probably
the domain) may become blacklisted.
4
– The content.
In
the good old days the content for spam was consistent. However once one email
was reported as spam, the filters stopped the rest of the emails.
5
– The composition of the content.
Formulas can be used to identify some types of spam. For example, certain rude
words, references to illegal material etc. To get round this, spammer’s
substitute characters within words with non-alphanumeric characters. For
example, they use ‘!’ instead of ‘I’, ‘5’ instead of ‘s’ and so on.
6
– A variation in the volume of email through a particular gateway or from a
particular computer.
If
a server sends out 1000 emails a month and this suddenly rises to say, 10,000 a
day then this may be treated as a compromised server and the emails treated as
spam. The ISP may shut down the server.
7
– The senders email address.
If
you get email from a@b.com and it is spam, you can
reject it as such. Spammer’s know this and can change the senders email address
for every email they send. If you get an email address form someone you know,
you are more likely to open it so it is a spammer’s interest to know who is in
your inbox. That’s why; your colleagues may get spam – allegedly sent from you!
They can pick up your details and your friends details from packet snooping,
compromised mail system, hacking your computer, hacking any of your colleagues
computers, Facebook (any online social system), Christmas list, other spam and
of course – they can purchase email lists from other spammers. This is not an
exhaustive list.
If
this happens, best change your password and maybe even change your email
address.
If
your level of spam is serious, you may need to change your email address. If you
host your own email (for example, Exchange), you may have to change your domain.
I have a separate page on how to do this. After you do that, there is no
guarantee you will not receive spam within a few days.
Spam filters can make prommises but spammers are always ahead of them. Spammers are sending out ever increasing amounts of spam and it is now reaching eppic proportions and we are powerless to stop it.
Colum Maguire.
This document is incomplete. Adjustments and recommendations gratefully
received.